Data Privacy Update for Private Fund Managers — Virginia Consumer Data Protection Act

On March 2, 2021, Virginia enacted the Virginia Consumer Data Protection Act (“CDPA”)[1] — a comprehensive data privacy law that is only the second state statute of its kind.[2] The requirements of the CDPA resemble aspects of both the California Consumer Privacy Act (“CCPA”) and the EU’s General Data Protection Regulation (“GDPR”). However, unlike the CCPA and GDPR, most private fund managers will be exempted from the CDPA because (1) it includes a broad exemption for financial institutions that are subject to the Gramm-Leach-Bliley Act (“GLBA”) and, in any event, (2) it would only apply to a fund manager that, during a calendar year, processes personal data of at least 100,000 Virginia consumers.[3] One context in which the CDPA may be relevant to private fund managers that use “alternative data” as part of the investment research process. Personal information may be part of the underlying data utilized, and managers should take steps to seek to ensure that potential vendors collect and license data consistent with applicable privacy laws.

What Is the CDPA?

The CDPA, a privacy law that takes effect on Jan. 1, 2023, provides Virginia residents various rights to access and control their personal data. Like the CCPA and GDPR, the CDPA will impose requirements on businesses to make certain disclosures concerning the collection and use of personal information, inform consumers about their rights and establish and implement reasonable data security practices to protect personal data. The CDPA will be enforced by the Virginia Attorney General, who may seek damages of up to $7,500 for each violation.[4] The statute, however, does not provide a private right of action.[5]

Most Private Fund Managers are Not Subject to the CDPA

The CDPA will apply to “personal data,” which it defines broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” However, most private fund managers will not be required to comply with the requirements of the CDPA for two reasons.

First, the CDPA exempts financial institutions or data subject to Title V of GLBA.[6] Notably, the GLBA exemption in the CDPA is much broader than the GLBA exemption in the CCPA, which is limited only to information subject to GLBA. 

Second, the CDPA only applies to businesses that, during a calendar year, control or process (i) personal data of at least 100,000 Virginia consumers or (ii) personal data of at least 25,000 Virginia consumers and derive over 50% of gross revenue from the sale of personal data. “Consumers” is defined as a “natural person” who resides in Virginia “acting only in an individual or household context.”[7] This is also a departure from the approach taken by the CCPA, which broadly covers any business that collects personal information from a California resident, without regard to the number of California residents.[8]

Considerations for Fund Managers that Use Alternative Data

Although most fund managers will themselves be exempt from the CDPA, managers that purchase alternative data from vendors will need to take account of the CDPA for data that will be collected after the CDPA goes into effect. While the full range of compliance issues associated with the use of alternative data are beyond the scope of this Alert, these are some examples of how the CDPA may be relevant to a compliance review:

• During the due diligence process, as part of confirming that a vendor is not obtaining personal data in breach of any of its duties or in breach of any applicable laws, fund managers will need to ensure that the vendor complies (or, if applicable, the sources of its data comply) with the CDPA if it collects (or, if applicable, its sources of data collect) data from at least 100,000 Virginia consumers (or 25,000 Virginia consumers in the case of a business that derives over 50% of gross revenue from the sale of personal data).
• Alternative data licensed by fund managers is typically “de-identified,” meaning it does not contain data identifying specific natural persons. However, it can be important to scratch below the surface of what this means to ensure compliance with law. Under the CDPA, a controller that possesses “de-identified data” must (i) take reasonable measures to ensure that the data cannot be associated with a natural person, (ii) “publicly commit”[9] to maintaining and using de-identified data without attempting to re-identify the data and (iii) contractually require any recipients of the de-identified data to comply with the CDPA.[10]
• The CDPA excludes information that a business “has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.” This is significant for private fund managers that ingest Twitter, Reddit and certain web scraped data that may include an individual’s name or other information and would be considered personal information under certain privacy laws.

Is Compliance with the CCPA and GDPR Sufficient to Comply with the CDPA?

Virginia legislators modeled the CDPA on the CCPA, the California Privacy Rights Act (which builds on the CCPA and also takes effect on Jan. 1, 2023), and the GDPR. For companies that are subject to the CDPA, including alternative data vendors and consumer-facing portfolio companies, and already have a privacy program that complies with the CCPA and GDPR, compliance with the CDPA will be easier. However, CDPA compliance may require further steps. For example, the CDPA requires covered entities to undertake data protection assessments[11] and enter into vendor agreements with certain required language.[12] As another example, attention may also need to be paid to the process for “de-identification” of data, as discussed above in the context of alternative vendor due diligence.

Looking Ahead

The CDPA underscores that privacy continues to be a focus for legislators and has implications for fund managers even when an exemption applies. Similar privacy bills have been introduced in at least eighteen other states, the result of which could be an unwieldly patchwork of state law privacy requirements. It remains to be seen whether federal legislation will preempt the CDPA and other such contemplated laws. On March 10, 2021, the first comprehensive federal privacy bill, the Information Transparency and Personal Data Control Act,[13] was introduced in the U.S. House of Representatives. If passed, the bill would create a more unified national standard by preempting conflicting state law. We will continue to update you as this dynamic area of the law evolves.

Authored by Edward H. Sadtler, Kelly Koscuiszka, Jennifer A. Gordon and Angela Garcia.

If you have any questions concerning this Alert, please contact your attorney at Schulte Roth & Zabel or one of the authors.

---

[1] Consumer Data Protection Act, Va. Code Ann. §§ 59.1-571—59.1-581 (2021) (effective Jan. 1, 2023).

[2] The first and most significant enacted privacy legislation applicable to private fund managers is the CCPA. Our previous Alerts, including our December 2019 Alert and our June 2020 Alert, provide further information on how the CCPA applies to private fund managers.

[3] The CDPA also applies to entities that process personal data on behalf of a the data controller, although their obligations are more limited.

[4] Va. Code Ann. § 59.1-579(B).

[5] By comparison, the CCPA provides a limited private right of action provided solely to consumers whose personal information (defined more narrowly for these purposes) has been subject to unauthorized access or disclosure as a result of the covered business’ failure to maintain reasonable security procedures.

[6] Most fund managers are subject to Title V of the GLBA, as financial institutions that collect “nonpublic personal information” about natural persons to provide a financial product or service. Fund managers that are not subject to, or are uncertain whether they are subject to Title V will want to consult legal counsel to determine what requirements they may have under the CDPA.

[7] Va. Code Ann. § 59.1-571.

[8] See generally California Consumer Privacy Act, CAL. CIV. CODE § 1798.145.

[9] The CDPA does not elaborate on what this means.

[10] Va. Code Ann. § 59.1-577.

[11] While the GDPR also requires data protection assessments, the CDPA’s requirement differs. Specifically, the CDPA requires controllers to conduct data protection assessments to evaluate the risks associated with a range of activities, including processing of “sensitive personal data” (e.g., personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal data collected from a known child; or precise geolocation data.) and processing that leads to a “heightened risk of harm to consumers.” Va. Code Ann. § 59.1-576(A).

[12] The CDPA requires that agreements between controllers and data processors delineate clear instructions for processing personal data, specify what types of personal data will be processed and how long it will be processed, specify each parties’ rights and/or obligations and guarantee that data processors are subject to a duty of confidentiality. While the CCPA and GDPR also have requirements with respect to vendor agreements, they are somewhat different.

[13] H.R. 2013, 117th Cong. (2021).

---

This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2021 Schulte Roth & Zabel LLP.

All rights reserved. SCHULTE ROTH & ZABEL is the registered trademark of Schulte Roth & Zabel LLP.