Virginia is for (Privacy) Lovers: Second Comprehensive State Privacy Law Signed

PDF

Yesterday, Governor Ralph Northam signed into law Virginia’s Consumer Data Protection Act (“VCDPA”). Virginia joins California as the second U.S. state to enact a comprehensive data privacy law. The new law will come into effect on January 1, 2023, the same day that California’s amendments to the California Consumer Privacy Act (“CCPA”) take effect by way of the California Privacy Rights Act (“CPRA”).

What is the VCDPA?

The VCDPA is a comprehensive data privacy law similar to the CCPA and Europe’s General Data Protection Regulation (“GDPR”). It restricts how businesses who target their products or services to Virginia residents may use personal data and it provides certain rights to resident consumers. Like the GDPR and CCPA, the VCDPA broadly defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable natural person.

What organizations are covered by the VCDPA?

The VCDPA governs for-profit businesses that either:

a) in a calendar year, control or process the personal data of 100,000 or more Virginia residents,

OR

b) control or process the personal data of at least 25,000 residents, and derive more than 50% of their gross revenue from the sale of personal data. Unlike the CCPA, there is no minimum annual gross revenue threshold. Entities covered by and data subject to the requirements of the GLBA, HIPAA, and FERPA are exempt from VCDPA compliance.

What Does the VCDPA Require?

Businesses must:

• Limit their collection of personal data to only what is reasonably necessary;
• Notify consumers about their personal data collection, use, and sharing practices;
• Explain how consumers can exercise their rights under the VCDPA and offer a secure mechanism for exercising those rights;
• Obtain consumer consent before processing “sensitive data”;
• Establish written contracts delineating specific rights and responsibilities between controllers and processors;
• Perform data protection assessments for certain types of personal data processing, such as profiling or targeting.

What Rights Does the VCDPA Provide to Consumers?

The VCDPA empowers consumers to confirm whether a business is processing the consumer’s personal information and to obtain copies of that information, to correct inaccuracies in personal information or delete it, and to opt out of the processing of personal data being sold or used for profiling or targeted advertising purposes. Businesses are prohibited from discriminating against a consumer for exercising these rights, for example, by denying goods or services or by charging a different price, except as part of the consumer’s voluntary participation in a loyalty or rewards program.

How Will the VCDPA Be Enforced?

Virginia’s Attorney General has exclusive authority to enforce the VCDPA, and can issue civil penalties of up to $7,500 for each violation.

Actions to Take Now

Businesses have just under two years to get fully compliant with the CDPA, and these compliance efforts can be implemented in parallel with CPRA compliance program updates. Businesses already complying with the CCPA and/or GDPR have a head start, but will need to account for new requirements imposed by the VCDPA.