Last year, I wrote two articles about Internet privacy laws; Privacy Laws: How Do I Comply With The GDPR And The CCPA? and Making Sense of Internet Privacy Law. Those articles dealt with the most significant and impactful laws: California’s CCPA and the European Union’s GDPR. Those two laws are still critically important for large national or international businesses. But as I mentioned in the first article in this series, more and more states are passing Internet privacy laws. Two of North Carolina’s neighbors have done so:
- The Virginia Consumer Data Protection Act (VCDPA) has been in effect since January 1, 2023, and
- The Tennessee Information Protection Act (TIPA) was recently signed into law and will take effect on July 1, 2024.
In this blog, I’ll explain who and what those laws protect, which businesses must comply with them, and what those businesses have to do.
Who Has To Comply With The VCDPA And The TIPA?
The VCDPA’s restrictions and obligations apply to any for-profit business that “targets” Virginia consumers and (a) controls or processes the personal data of at least 100,000 consumers or (b) controls or processes the personal data of at least 25,000 consumers and derives over 50% of its gross revenue from the sale of personal data.
The TIPA similarly applies only to for-profit businesses but has a slightly higher threshold. The TIPA applies to companies that: (a) have more than $25 million in annual revenue and control or process the personal information of 175,000 or more Tennessee consumers or (b) control or process the personal information of 25,000 or more Tennessee consumers and derive over 50% of their gross revenue from the sale of that information.
In both Tennessee and Virginia, “processing” includes the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. “Control” means determining the purpose and means of any data processing.
Just like with the GDPR and the CCPA, you shouldn’t assume that these laws apply only to businesses with offices, warehouses, or stores in Virginia or Tennessee. Using the Internet to reach either state, regardless of physical presence or providing tangible goods or services, is enough to require compliance with these laws.
Who And What Is Protected By These Laws?
Both the VCDPA and the TIPA protect the same class of persons: “consumers.” Each law also defines that term similarly. A consumer is a person residing in the relevant state and acting personally. Practically, that means that the laws don’t protect people when they’re working as an employee or owner of a business, and they don’t apply in business-to-business transactions or interactions.
The VCDPA protects “personal data,” which means any information linked or reasonably linkable to a Virginia consumer. That definition excludes any information in public records and all health information covered by HIPAA and other laws. Similarly, the TIPA protects “personal information,” which is information linked or reasonably linkable to a Tennessee consumer. “Personal information” does not include pseudonymous data, de-identified data, aggregate data, or information in public records.
Both laws also use the term “sensitive data” to refer to any personal data/information that includes racial or ethnic origin, religious belief or affiliation, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, the personal data/information from anyone known to be under 13 years of age, and any geolocation data which can be used to establish a location within a ¼ mile radius. Sensitive data gets all the same protections as personal data/information but is also subject to additional safeguards.
What Rights Do Consumers Have?
The VCDPA and the TIPA grant consumers virtually equal rights concerning their personal data/information. In both states, consumers have the right to:
- Know what data is being collected;
- Confirm whether and why a controller is processing their data;
- Access a copy of their data;
- Correct inaccuracies in their data (with some limitations or exceptions);
- Have their data deleted;
- Opt-out of data collection for targeted advertising, the sale of data, or profiling through automated or algorithmic means; and
- Not be discriminated against by a company for exercising any of the preceding rights.
Companies are required to set up processes for consumers to file requests to exercise the above rights. They must also have a process for explaining the approval or denial of those requests and responding to appeals from denials.
What Are The Other Major Requirements?
In addition to complying with consumers’ rights, companies subject to the VCDPA and TIPA also have to fulfill several other legal obligations. For example, both laws require that company websites display a privacy notice, which must clearly inform the consumer of the categories of data being collected, the purpose of any processing, including the processing of personal information for targeted advertising or profiling, the sale of personal information, the processing of sensitive data, and the consumer’s rights concerning their personal information. Additionally, both laws prohibit the processing of sensitive data without express consent from the consumer.
Suppose a company is selling information, processing information for the purposes of targeted advertising or profiling or processing any sensitive information. In that case, both laws require the company to perform a data protection assessment – weighing the risks and benefits of the processing, the potential harms to the consumer, and the safeguards the company takes to mitigate those harms. These assessments must be kept on file and can be reviewed by the attorney general of the applicable state.
Finally, both the TIPA and the VCDPA require companies to draft special contracts with any “processors” or third parties to whom they outsource any data processing. These contracts must bind the processors to respect the company’s obligations under the applicable law and must give clear instructions regarding the nature and purpose of data processing, the types of data to be processed, and the duration of processing. The contracts must also compel the processors to delete or return the data after the processing is complete.
How Can Venn Law Group Help?
Just like with GDPR or CCPA compliance, Venn Law Group has experience helping businesses determine which Internet privacy laws apply and how these laws impact their operations. We’ve also worked with several clients to develop compliant data processing practices and contracts to minimize disruption and liability and maximize the efficiency of operations. Contact us to learn more about what our corporate law practice group can do for your business.
Edward B. Woodall is an attorney at Venn Law Group who works in corporate law and commercial real estate, including leasing, financing, taxation, business structures, and dispute resolution. He is passionate about helping business owners solve a variety of complex legal problems and has performed more than 100 hours of pro bono work. In addition to his law degree, he also has a background in history and Spanish.
Edward B. Woodall is an attorney at Venn Law Group who works in corporate law and commercial real estate, including leasing, financing, taxation, business structures, and dispute resolution. He is passionate about helping business owners solve a variety of complex legal problems and has performed more than 100 hours of pro bono work. In addition to his law degree, he also has a background in history and Spanish.