On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (the "VCDPA") into law. The VCDPA, which will become effective January 1, 2023, creates rights and obligations related to the collection and processing of consumer personal data. While many of these rights are similar to what we have seen under the California Consumer Protection Act ("CCPA") or Europe's General Data Protection Regulation ("GDPR"), many rights, such as the right to appeal the denial of a consumer data request and the establishment of a 30-day cure period, are new.
A business that controls or processes consumers' personal information must comply with the VCDPA if they: (a) conduct business in the Commonwealth of Virginia or (b) produce products or services that are targeted to residence of the Commonwealth of Virginia; and:
- During a calendar year, control or process personal data of at least 100,000 consumers, or
- Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data
The VCDPA confers six rights to consumers, the majority of which can be exercised via a consumer request:
- Right to confirm whether a controller is processing a consumer's personal data
- Right to access the personal data processed by a controller
- Right to correct inaccuracies in the consumer's personal data
- Right to delete personal data provided by or obtained by a controller
- Right to obtain a copy of the personal data a consumer has provided to the controller in a portable and readily usable format; and
- Right to opt out of processing of personal
- Targeted advertising
- Sale of personal data; and
The first five rights above may be exercised by a consumer pursuant to a consumer request. Businesses must establish a secure and reliable process for consumers to submit authenticated requests to exercise their consumer rights. The requirements of a consumer request process are similar to those established under the CCPA, with slight modifications. One of the novel concepts established by the VCDPA is an appeals process for consumer requests.
The VCDPA also introduces the concept of "sensitive data." Sensitive data encompasses multiple categories of data that are already subject to regulation by either federal or state law, such as children's data; genetic or biometric data; precise geolocation data; and sensitive personal information such as racial or ethnic origin, sexual orientation, or citizenship or immigration status. Consumer consent must be obtained prior to processing sensitive data.
The VCDPA establishes a host of additional obligations for businesses that are controlling or processing personal data. Such obligations include:
- Establish reasonable technical and physical data security practices
- Disclosure of sale of personal data or processing of personal data for targeted advertising
- Entering into contracts with data processors that contain specific provisions
- The use of data protection assessments in certain circumstances
While the VCDPA does not have a private right of action, it is vital that a business complies with all obligations under the VCDPA to avoid hefty penalties and/or an injunction. If a business violates the VCDPA and does not cure the problem within 30 days, the Attorney General may initiate an action in the name of the Commonwealth and seek both an injunction to restrain any violations of the VCDPA and civil penalties up to $7,500 for each violation.
Businesses that control or process data must stay up to date on the latest data privacy laws and regulations as this area continues to evolve. Businesses must take steps towards compliance now, prior to the effective date of the VCDPA, to avoid a last-minute implementation of faulty data privacy practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.