The Virginia Consumer Data Protection Act (VCDPA) is a big deal for data protection in the U.S. It builds on California's famous CCPA and CPRA laws, which laid the groundwork. Businesses are trying to figure out what its rules are, so this piece goes into detail about the VCDPA's complexities, including its wide scope, the customer rights it protects, and the responsibilities it gives both managers and processors. Also, we'll compare the VCDPA with similar laws in California. This will give companies a clear guide for navigating the complicated landscape of modern data privacy laws.
Introduction to the VCDPA
The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive consumer privacy law that was signed into law on March 2, 2021 and goes into effect on January 1, 2023. The VCDPA grants new rights to Virginia residents and imposes obligations on businesses that control or process large amounts of personal data of Virginia residents. The VCDPA is enforceable solely by the Attorney General of Virginia, who can seek injunctions and civil penalties up to $7,500 per violation. With the VCDPA, Virginia has become the second U.S. state after California to enact a comprehensive state consumer privacy law.
The VCDPA establishes regulations for how businesses handle and protect consumers' personal data, granting Virginia residents specific rights over their data. It also outlines requirements related to sensitive data, de-identified data, and data protection assessments that businesses must follow. The VCDPA provides the Attorney General of Virginia exclusive authority to enforce the law through investigations, injunctions, and civil penalties. It does not contain a private right of action for consumers.
The VCDPA applies to for-profit entities that conduct business in Virginia or produce products/services targeted at Virginia residents and meet certain data processing thresholds related to the number of consumers and revenue from data sales. Non-profits, higher education, state agencies, HIPAA entities, and GLBA financial institutions are exempt. With key differences from laws like the CCPA, the VCDPA aims to provide clarity on scope and compliance obligations for covered businesses.
Scope and Applicability of the VCDPA
The VCDPA applies to for-profit entities that conduct business in Virginia or produce products/services targeted to Virginia residents, and either: 1) control or process personal data of at least 100,000 consumers or 2) control or process personal data of at least 25,000 consumers and derive over 50% gross revenue from the sale of personal data. Covered entities are referred to as "controllers'' under the law.
Specifically, the law applies to organizations that conduct business in the Commonwealth of Virginia or target residents to sell products/services, and during a calendar year either control or process personal data of over 100,000 Virginia consumers, or control/process data of over 25,000 Virginia consumers if over 50% of gross revenue comes from selling consumer data.
The VCDPA does not apply to several types of organizations, including: non-profit organizations, institutions of higher education like colleges/universities, Virginia state government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and entities regulated under the Health Insurance Portability and Accountability Act (HIPAA) such as healthcare providers.
While the law does not define 'conducting business in Virginia', covered entities can assume the VCDPA applies if they have any economic activity that triggers tax liability or personal jurisdiction in the state. Meeting one of the consumer data processing thresholds is also required, whether over 100,000 consumers or over 25,000 coupled with a majority of revenue from data sales.
With its defined thresholds and exemptions, the VCDPA aims to provide clarity compared to some other consumer privacy laws on which specific organizations fall under its scope. However, covered entities must closely review their data practices and revenue sources to determine if they meet the applicability criteria. Those that control or process significant amounts of Virginia consumer data or profit from such data sales will need to comply with the VCDPA's consumer rights, transparency and data protection requirements starting on January 1, 2023.
Consumer Rights Under the VCDPA
The VCDPA grants Virginia residents specific rights with respect to their personal data, including the right to access, correct, delete, obtain a copy, and opt-out of the sale or processing for targeted advertising/profiling. The law defines "personal data'' broadly as any information linked or reasonably linkable to an identified natural person.
Under the VCDPA, Virginia consumers have the right to:
- Right to access: Consumers have the right to request a copy of the personal data that a business has collected about them.
- Right to correct: Consumers have the right to request that a business correct any inaccuracies in their personal data.
- Right to delete: Consumers have the right to request that a business delete their personal data.
- Right to opt out of sale: Consumers have the right to opt out of the sale of their personal data.
- Right to opt out of targeted advertising: Consumers have the right to opt out of the processing of their personal data for targeted advertising.
- Right to opt out of profiling: Consumers have the right to opt out of the processing of their personal data for profiling, if the profiling results in decisions that have legal or similarly significant effects on the consumer.
The VCDPA protects "personal data" which includes any information that could reasonably be linked back to identify a particular Virginia resident. General public info or de-identified data that cannot identify an individual is not covered.
Certain types of sensitive data have additional protections, including genetic, biometric, health and precise location data. Controllers need opt-in consent from consumers before collecting or processing sensitive data.
Consumers can make requests to exercise their VCDPA rights for free, up to twice per year. Controllers must establish simple mechanisms for consumers to submit authenticated rights requests and appeals. Responses must occur within 45 days, with extensions allowed if communicated to the consumer. The rights under VCDPA give Virginia residents significant control over their personal information.
Controller Obligations and Requirements
Controllers have transparency, purpose limitation, data minimization, reasonableness, non-discrimination, and data security obligations under the VCDPA. They must conduct and document data protection assessments before engaging in targeted advertising, selling data, profiling, processing sensitive data or other high-risk activities.
Some key requirements for controllers under the VCDPA include:
- Limiting collection and retention of consumer data to what is reasonably necessary and not excessive for disclosed purposes
- Establishing reasonable data security practices appropriate for protecting information based on its sensitivity
- Providing transparent privacy notices detailing their data practices and purposes
- Facilitating and timely responding to consumer rights requests
- Obtaining opt-in consent specifically before collecting/processing sensitive data
- Allowing consumers to opt-out of data sales, targeted advertising and profiling
- Not using personal data to discriminate or violate anti-discrimination laws
- Entering data processing agreements with vendors that bind them to VCDPA duties
Controllers also must conduct and document data protection assessments for high-risk data activities like targeted ads, sales to third parties, profiling, handling sensitive data or any processing presenting significant consumer risks.
These assessments require balancing benefits of data processing against potential risks to consumers, taking into account mitigating controls and safeguards. The Virginia Attorney General can request copies of assessments during investigations to ensure they meet VCDPA responsibilities.
Meeting obligations like data minimization, purpose limitation, transparency, consumer rights facilitation, consent requirements and data protection assessments will necessitate thorough reviews of information collection, storage, sharing and processing practices for many controllers. Documentation also becomes important for demonstrating VCDPA compliance.
Processor Roles and Contract Requirements
The VCDPA imposes specific requirements on contracts between controllers and processors. Agreements must detail the processing activities, require confidentiality, mandate cooperation with controllers, and bind subcontractors to VCDPA duties. Processors must assist controllers in meeting consumer rights requests. Unlike the CCPA, the VCDPA does not require controllers to respond to consumer requests to know what personal information is sold or shared.
Under the VCDPA, controllers and processors have distinct definitions and obligations:
- Controllers determine the purpose and means of processing consumer personal data.
- Processors handle personal data on behalf of controllers.
The VCDPA mandates that controllers and processors enter data processing agreements outlining details like:
- Instructions for processing and types of data involved
- Purpose and nature of the processing activities
- Duration of the processing
- Rights and responsibilities of both parties
Contracts must bind processors to specific VCDPA duties like confidentiality, assisting with consumer requests, submitting to audits, and properly handling subcontractors.
Upon controller request, processors must provide information necessary to demonstrate VCDPA compliance and either delete or return data when services conclude, unless retention is legally required.
While similar privacy laws like the CCPA require disclosing categories of third parties that receive sold/shared consumer data, the VCDPA does not explicitly mandate controllers to provide this information in response to consumer requests. However, privacy notices must indicate general categories of third parties if data is sold or disclosed.
Exemptions and Allowances Under the Law
The VCDPA prohibits processing personal data in violation of state/federal anti-discrimination laws. It carves out personal data processed for research adhering to ethics rules, legal obligations, public safety, security purposes and internal operations reasonably aligned with consumer expectations. Employment and B2B data is exempt. Controllers can offer financial incentives/discounts without complying with certain transparency rules.
Though the VCDPA grants consumers extensive privacy rights and control, the law does outline some important exemptions and allowances:
- Personal data processed in an employment context is exempt, except for data used solely for non-work purposes.
- Data processed strictly for non-commercial personal or household purposes is exempt.
- Compliance with other laws like HIPAA or GLBA does not violate the VCDPA.
- Protecting public safety, security, legal rights, and internal confidential operations are allowed.
- Scientific, historical or statistical research conducted under ethical standards is exempt if benefits outweigh privacy risks.
- Data processed to prevent discrimination does not violate the VCDPA.
- B2B data processing and data governed by certain federal laws is generally excluded.
Consumer loyalty and rewards programs may offer different pricing/service without explaining it in privacy notices, but still must comply otherwise.
While providing strong protections and rights, the VCDPA recognizes boundaries where consumer privacy yields to research aims, safety needs, legal duties and realities of commerce. However, covered entities must still facilitate consumer rights for non-exempt data and meet transparency and data protection requirements.
Enforcement and Oversight Authority
The Virginia Attorney General has exclusive enforcement authority over the VCDPA, including issuing investigative demands. Before initiating any action, the AG must provide a 30-day cure period. The VCDPA does not contain a private right of action. Violations may result in injunctions and civil penalties up to $7,500 per violation. While similar to the CCPA, the VCDPA provides greater clarity on scope and applicability.
Enforcement of the VCDPA falls exclusively under the Virginia Attorney General's authority. The AG can pursue the following for violations:
- Issue civil investigative demands to controllers/processors to assess compliance
- Provide 30-day written cure notice to entities before taking action
- Seek injunctions to stop ongoing VCDPA violations
- Pursue civil penalties up to $7,500 per affected consumer
The VCDPA does not incorporate a private right of action, unlike some laws like the CCPA. Only the Attorney General can take enforcement action, not individual consumers.
The 30-day cure period allows controllers/processors time to implement remedies before penalties apply, if violations are promptly addressed. However, failure to cure violations opens businesses to AG lawsuits and significant fines.
While establishing strong consumer privacy guardrails like the CCPA, the VCDPA aims to provide greater clarity on which entities must comply. The law's succinct nature and definitional boundaries strive to avoid ambiguities of applicability and enforcement. However, controllers and processors handling significant Virginia consumer data must closely review obligations to avoid AG scrutiny and penalties.
Key Definitions and Consumer Rights
The VCDPA provides important rights and protections for Virginia residents regarding their personal data collected and processed by covered businesses. Some key definitions under the law include:
Personal Data - Information linked or reasonably linkable to an identified natural person that is not publicly available or de-identified.
Sensitive Data - A subset of personal data like health, genetic, biometric, racial/ethnic, religious, sexual orientation, immigration status, precise geo-location, and data of known minors. Requires opt-in consent.
Consumer - A Virginia resident acting in a personal or household context, not a commercial setting. Employees are excluded.
- Right to confirm if a business is processing their data and access details.
- Right to correct inaccurate personal data.
- Right to delete personal data upon request.
- Right to receive a portable copy of their data.
- Right to opt-out of data sale, targeted advertising and profiling.
- Right to appeal a business's decision on a rights request.
Businesses must provide consumers clear privacy notices and a simple way to submit authenticated rights requests. Requests must be handled promptly and free of charge. Discrimination for exercising rights is prohibited.
Business Obligations and Compliance
The VCDPA imposes obligations on covered businesses that handle Virginia residents' personal data. Key requirements include:
- Conduct data protection assessments for high-risk activities like selling data, targeted ads and profiling. Assess benefits and consumer risks.
- Collect, retain and process only relevant and necessary consumer data for specified purposes.
- Establish reasonable data security practices appropriate for data volume and sensitivity.
- Enter data processing contracts with vendors outlining instructions, safeguards and responsibilities.
- Provide transparent privacy policies on data practices and consumer rights options.
- Facilitate and timely respond to consumer rights requests. Appeals process required.
- Obtain opt-in consent to process sensitive data.
- Allow consumers to opt-out of data sale, targeted ads and profiling.
Applicability and Exemptions
The VCDPA applies to entities conducting business in Virginia or targeting residents for products/services that annually process personal data of:
- 100,000+ Virginia consumers
- 25,000+ and earn 50%+ gross revenue from selling data
Exemptions exist for:
- Government agencies
- Higher education institutions
- HIPAA covered entities
- GLBA financial institutions
- Employee and B2B data
- Household/personal data processing
- Data processed under other laws like HIPAA, GLBA etc.
No private right of action exists. The Attorney General exclusively enforces VCDPA and can seek injunctions and fines up to $7,500 per violation. A 30-day cure period applies before penalties.
The VCDPA does not apply retroactively. Compliance is enforced based on data practices conducted after the January 1, 2023 effective date. Any processing activities started before that date are grandfathered in.
Key Differences from CCPA/CPRA
While the VCDPA and California's CCPA/CPRA laws share similarities in granting consumers new privacy rights, key differences exist:
- VCDPA has no data processing threshold based on revenue. Applicability hinges on the number of consumers.
- VCDPA does not provide a private right of action like CCPA. Enforcement is limited to the Attorney General.
- VCDPA does not mandate responding to consumer requests to know categories of third parties data is sold/shared.
- VCDPA provides clearer definitions around covered consumers and commercial exemptions.
- VCDPA requires controllers to provide an appeals process for consumer requests.
- VCDPA does not impose many compliance record-keeping requirements.
- VCDPA has no 12-month re-consent period for opt-outs like CPRA.
- VCDPA grants opt-outs for sales, ads and profiling. Broader than CCPA.
While similar in spirit, businesses should not rely solely on CCPA compliance to satisfy VCDPA. Review specifics carefully.