On March 2, 2021, Virginia became the second state in the country to pass a comprehensive privacy law, emboldening what seems to be a national trend. State legislators worked to pass the Virginia Consumer Data Protection Act (VCDPA) and did so at an incredibly rapid rate. The VCDPA follows the lead of the California Consumer Privacy Act (CCPA) and Europe's General Data Protection Regulation (GDPR), but also presents important nuances that build upon the two previous laws that businesses should pay heed to in order to gear up for compliance. As the law is set to go into effect on January 1, 2023, this edition of our Gearing Up for privacy law compliance series provides important information to consider. We will discuss the VCDPA's scope and threshold requirements, key steps to take to gear up for compliance, and information on how the law will be enforced.

VCDPA's Scope and Threshold Requirements

Much like the GDPR, the VCDPA covers businesses that act as controllers or processors of personal data.

Controllers are defined as the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data. In order to comply with the VCDPA, data controllers must create processes through which they can receive, authenticate, and comply with reasonable consumer personal data requests, as well as set up appeals processes in the event of a consumer request denial. Controllers must, among other duties, also only collect personal data that is adequate, relevant, and reasonably necessary; provide disclosures and privacy notices; and have administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

Processors mainly assist controllers and have fewer regulations with which to comply. Processor obligations can include the collection, use, storage, disclosure, analysis, deletion, or modification of personal data on behalf of a data controller. Processor compliance relies on vendor contracts with controllers, which must also include instructions and details on how to process personal data.

Like the CCPA, the VCDPA includes threshold requirements that will dictate the applicability of the law to an individual entity. The VCDPA applies to any businesses that operate within Virginia or those who produce products or services targeted to Virginia residents and:

  • Control or process the personal data of at least 100,000 consumers; or
  • Control or process the personal data of at least 25,000 consumers and derive more than 50 percent of their gross revenue from the sale of personal data.

Given these threshold specifications, some businesses may be able to avoid the VCDPA's reach if the amount of business conducted falls below the delineated threshold or if data is not controlled or processed in the manner defined under the law.

Additionally, it is important to note that, unlike the CCPA, the VCDPA does not consider a business's gross annual revenue. Further, the VCDPA does not apply to public, nonprofit, or higher education entities, nor financial institutions regulated by the Gramm-Leach-Bliley Act or entities regulated by HIPAA. However, if your business falls into one of the exempt categories, it is important to remember that general industry data collection and use practices may change in other ways, as seen in California.

VCDPA Consumer Rights and Exceptions

Although the VCDPA provides many of the same rights as the CCPA and GDPR, it also presents important exceptions that make the law more favorable to businesses.

Consumers may submit a reasonable consumer request in order to exercise their VCDPA rights. After such a request has been made, the VCDPA imposes a 45-day response period on the business. The rights provided in the VCDPA include:

  • The right to confirm whether a consumer's personal data is being processed and to access such personal data;
  • The right to correct inaccuracies;
  • The right to delete personal data;
  • The right to opt-out of the use or sale of personal data for the purposes of targeted advertising or profiling;
  • The right to non-discrimination (i.e. a right to equal service and price, even if the individual exercises their privacy rights);
  • The right to request personal data in a portable and, to the extent feasible, readily usable format that allows the consumer to transmit personal data to another entity; and
  • New opt-in rights for the processing or collection of sensitive personal data.

The rights provided in the VCDPA are subject to a multitude of exceptions and limitations. Such exceptions/limitations include:

  • Virginia resident data is only protected at a consumer level, not at an employee or commercial level.
  • The VCDPA's treatment of publicly available information is more robust than the CCPA's definition, as it includes information posted publicly on social media.
  • Pseudonymous data may also be kept by a business, even after a reasonable consumer request is made, as long as the information is kept separate and protected.
  • The VCDPA's definition of a "sale of personal data" is limited to an exchange of personal data for monetary consideration. As such, businesses will still be able to transfer personal data to affiliates or third parties without limitation.
  • The VCDPA's definition of targeted advertising allows businesses to continue use even after an opt-out, as long as the advertising is not based on data sourced from outside the entity or its affiliates.

What Your Business Can Do to Prepare for Compliance

As January 2023 nears, entities that meet the scope and threshold requirements of the VCDPA must begin to prepare for compliance. In addition to the specific criteria listed below, in general, Virginia businesses need to be transparent about the personal data they collect and limit data collection to what is adequate and reasonably necessary. To be compliant with the VCDPA, a business must:

  • Draft a VCDPA-compliant privacy policy, disclosing information regarding the data collected and consumers' rights. While the CCPA requires a business to display a privacy policy at or before the point of collection of personal data, the VCDPA does not require Virginia businesses to do so.
  • Facilitate opt-out processes, allowing the consumer to reject the use or sale of their personal data for the purpose of targeted advertising or profiling.
  • Obtain informed consent to the processing and collection of sensitive data (an opt-in right), children's data, or data collected and processed for purposes other than what was previously disclosed to the consumer.
  • Perform Data Protection Assessments, identifying the benefits of acquiring data, the risks attached to processing the data, and how an entity may minimize these risks.
  • Implement Cybersecurity Safeguards that are reasonably required to protect consumers' personal data.

Enforcement

Because the VCDPA only applies to data processed after January 1, 2023, Virginia businesses have some time to focus on preparing for compliance. Once in effect, the VCDPA will be enforced by the Virginia Attorney General. Unlike the CCPA, there is no private right of action for Virginia consumers. In the case of an alleged violation, the Attorney General will give a business written notice identifying the specific alleged violation 30 days before initiation of any action, giving the business a month as a "cure period" to address and solve any potential violations.

Violations of the VCDPA existing after the cure period may subject infringing entities to hefty fines of up to $7,500 per violation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.