The Virginia Consumer Data Protection Act: All You Need To Know

Virginia is the second state of all the 50 US states to enforce state law on data protection. The Virginia Consumer Data Protection Act aims to protect consumers’ personal data in Virginia.

It draws many similarities with other consumer protection laws such as California Privacy Rights Act (CPRA), the California Consumer Privacy Act (CCPA), and the state laws of Colorado, Utah, and Connecticut.

This article will delve deep into what this law requires from your business. You’ll learn about the following:

• Does the VCDPA apply to your business?
• What are the consumer rights under the VCDPA, and how to respond to them?
• What is a VCDPA-compliant privacy notice?
• What are Privacy Impact Assessments, and do you need one?
• How much are the VCDPA penalties?
  

What is the Virginia Consumer Data Protection Act (VCDPA)?

The Virginia Consumer Data Protection Act is Virginia’s first data privacy law. It was signed into law on 2 March 2021, and its effective date is 1 January 2023.

Its goal is to protect Virginia residents’ privacy when businesses handle their personal information.

It follows the trend set by the California Consumer Privacy Act (CCPA). It relies solely on the opt-out principle, meaning that businesses to whom it applies are allowed to process personal data as long as the consumer does not object.

It has been amended once already. The amendments address consumer requests to delete personal data held by businesses, broaden the definition of nonprofit organizations, and redirect penalties and fees collected by the Attorney General’s Office from VCDPA enforcement to an existing fund.

To whom does the VCDPA apply?

VCDPA applies to natural and legal persons that:

• Conduct business in Virginia or sell products and services in Virginia and 
• Meet at least one of the following requirements:
  - Controls or processes personal data of at least 100,000 Virginia residents, or
  - Controls or processes personal data of at least 25,000 Virginia consumers and derives over 50% of gross revenue from the sale of personal data in a calendar year.

The ‘sale of personal data is defined as ‘the exchange of personal data for monetary consideration’ by a business to a third party.

Is anyone exempt from the VCDPA?

Yes, there are a few exemptions. The law does not apply to:

• Nonprofit organizations
• Personal data in the employment context
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Entities subject to the Health Insurance Portability and Accountability Act (HIPAA)
• Data processing is regulated under the Fair Credit Reporting Act (FCRA) and others.
  

What is Personal Data under the VCDPA?

The VCDPA defines personal data as any information that can be linked to or linked in a reasonable way to a person who can be identified or can be found.

Name, home address, phone number, email address, IP address, social security number, etc., are all examples of personal data.

De-identified data and publicly available personal data are exempt from the definition. They are not personal data and are out of the scope of the law.

De-identified data cannot be linked to or reasonably associated with a person; therefore, it is not personal data. Public data is already available to anyone; hence, it is not protected.

What is VCPDA sensitive personal data?

VCDPA differs personal data from sensitive personal data. The following categories of personal data belong to the latter:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
• The processing of genetic or biometric data to uniquely identify a natural person
• The personal data collected from a known child; or
• Precise geolocation data.
  

What are VCDPA controllers and processors?

The controller is the person or entity that decides if personal data will be processed. They also decide on the processing purposes, methods, categories of personal data to be processed, and so on.

The processor is the entity that processes the data on behalf of the controller.

In other privacy legislation in the US, controllers are often known as businesses, and processors are called service providers.

What is a VCDPA-compliant privacy notice?

Data controllers must present consumers with a privacy notice on data collection. You can do it by presenting them with a VCDPA-compliant privacy policy.

The privacy policy must contain at least the following essential information:

• Categories of processed personal information
• Processing purposes
• Categories of personal data shared with third parties, if any
• Categories of third parties with whom data is shared, if any
• Information on the sales of personal data, if any
• Information on processing personal data for targeted advertising, if any
• Information on exercising data subject rights, particularly:
  - How consumers can exercise their personal data rights
  - How they can appeal the controller’s decision regarding their request
  - The methods for submitting a personal data request.

Do I need to obtain consent from consumers for data processing?

You don’t need consumers’ consent to process their personal data. There are two exceptions, however:

• When you process children’s data, and
• When you want to process consumers’ data for a purpose not stated in the privacy policy at the moment of collection.

In all other cases, you can process data until someone opts out of the processing.

What are VCDPA personal data rights?

Virginia CDPA grants consumers the following personal data rights:

• Right to be informed (right to know) of the processing of personal data
• Right to access their personal information
• Right to correct inaccurate personal data
• Right to opt out of the sale of personal data targeted advertising, or profiling
• Right to deletion of personal data

The VCDPA differs from other laws, such as the CCPA and CPRA, regarding the wording of data subject rights. Although the privacy legislation of other US states calls them consumer rights, VCDPA calls them personal data rights.

Additionally, the VCDPA requires that companies only hold the data they need for a specific purpose and for only as long as necessary to achieve that purpose; these principles are commonly referred to as purpose limitation and data minimization. The VCDPA also requires that companies implement and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data.

What are VCDPA personal data requests?

Personal data requests are the tool with which consumers exercise their personal data requests. Suppose you are familiar with data subject requests under the GDPR in Europe or consumer requests under the CCPA or CPRA in California. In that case, you have an idea of what is required of your business in Virginia.

Whenever you receive a consumer request, you have no choice but to honor it. Not responding to it or providing false information leads to non-compliance and penalties.

Data controllers have 45 days to respond to the request. For more complex requests, the deadline is 90 days. The response must be free of charge unless the response requires significant expenses on the data controller’s part.

Before honoring the request, you must identify the requester. If you cannot identify them, you can refuse the request.

What is a data processing agreement, and why do I need one?

The VCDPA requires controllers to have written agreements with processors that process personal data on their behalf. Also, processors can only handle personal information if the controller gives them written instructions.

A well-structured data processing agreement will cover both VCDPA obligations. The agreement will be in written form and contain the necessary instructions on processing. Controllers must have a separate data processing agreement with every data processor.

Every agreement must contain the following essential elements:

• Instructions for processing data
• The nature and purpose of processing
• The type of data to be processed
• The duration of processing
• The rights and duties of both parties, part with must contain provisions that the processor must:
  - Guarantee the confidentiality of the data shared with them for processing purposes
  - Delete or return the data to the controller at the end of the processing upon the controller’s request
  - Provide the controller with any information necessary for them to prove compliance with the CDPA
  - Allow and help the controller conduct audits and inspections on the processing activities by the controller or a designated auditor.

What should you do in the event of a data breach?

In the case of a data breach, you have to comply with data breach notifications. This isn't talked about directly in the VCDPA, but other Virginia laws set up notification requirements for smaller groups of personal information.

What is a Privacy Impact Assessment (PIA) under the VCDPA?

Data protection assessments are good security practices for preventing data security breaches. The PIA aims to identify privacy risks and determine measures to mitigate them. Under the VCDPA, they have a duty in some cases.

You must conduct the Privacy Impact Assessment if you do at least one of the following data processing activities:

• Targeted advertising
• Sales of personal data
• Profiling that may:
  - Lead to unfair treatment of consumers
  - Cause them financial, physical, or reputations damages, or
  - Intrude the private affairs of the consumer, or
  - Cause any other damage to consumers
• Sensitive personal data processing
• Any other type of data processing could pose a risk of harm to consumers.

In all other cases, you don’t have to conduct a PIA. However, it is a good practice and a highly recommendable exercise in your security practices.

Who implements the VCDPA?

The Virginia Attorney General is the only person who enforces the VCDPA. Consumers cannot do anything by themselves. They have no private right of action.

When the Attorney General becomes aware of a potential violation, he or she may initiate a procedure against the company. If their investigations show that the VCDPA has been broken, the person who broke it will have 30 days to fix the problem.

If the business cures the violation, it all stops here. The Attorney General can take them to court to impose civil penalties if they don’t.

How much are the VCDPA fines?

VCDPA fines have an upper cap of $2,500 for any violation and $7,500 for an intentional violation per incident. One consumer means one incident.

Consequently, if businesses violate the VCDPA rights of 100 consumers, they may be fined up to $750,000 because 100 consumers times $7,500 equals $750,000.

All fines, costs, and attorney fees from enforcing the VCDPA will go to the Consumer Privacy Fund to help the AG enforce the law.

How does VCDPA compare to GDPR, CCPA/CPRA, and other privacy laws?

The EU’s General Data Protection Regulation (GDPR) is the strictest data privacy law worldwide. US states still do data protection differently, and Virginia is no exception. They also rely on the opt-out principle and allow businesses to process data until someone objects to that.

On the other hand, the VCDPA fills the gap created by the previous absence of a data protection law in the state, which is a step in the right direction.