On April 11, 2022, Virginia amended its comprehensive data protection legislation that was passed in 2021 to address issues that had been identified since its initial implementation. These amendments to the Virginia Consumer Data Protection Act (VCDPA) become effective January 1, 2023,1 and include the following revisions:

  1. Adding a new exemption to the VCDPA’s right to delete to make compliance easier for entities that do not collect personal data directly from a consumer such as data brokers.
  2. Repealing the Consumer Privacy Fund provision, directing the penalties, expenses and attorney fees recovered enforcing the VCDPA to a different fund.
  3. Modifying the VCDPA’s definition of a nonprofit to include almost all political organizations.

Background

Virginia is one of only a handful of states thus far with a comprehensive law governing data privacy. (Read more about the VCDPA here). The VCDPA applies to businesses that either:

(1) Conduct business in Virginia or produce products or services that are targeted to Virginia residents.

(2) During a calendar year—

(i) Control or process personal data of at least 100,000 consumers.

(ii) Control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.

The VCDPA contains many broad exemptions, such as for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA), as well as nonprofits and institutions of higher education. Where the VCDPA applies, it grants certain rights to consumers concerning their data, namely the right to access their personal data, the right to correct inaccuracies in their personal data, the right to data portability, the right to opt out of certain processing and the right to delete their personal data.

Unlike California (via the California Privacy Rights Act (CPRA)), Virginia does not have a dedicated privacy agency to promulgate regulations. Instead, the VCDPA-created Virginia Consumer Data Protection Work Group met over the course of 2021 to recommend changes to the law, releasing its final report in November. The recommendations of this working group resulted in these three amendments.

New Right to Delete Exemption

With the signing of HB 381, the VCDPA gains a new exemption to the right to delete personal data.2 Specifically, organizations that determine the purpose and means of processing consumer personal data (“controllers”) will not always have to delete personal data upon request. The amendment states that data controllers that have obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete this data by either:

  1. Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumers’ personal data remains deleted from the business’s records and not using such retained data for any other purpose.
  2. Opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the VCDPA.3

This new deletion exemption will be beneficial to data brokers and other companies that do not directly obtain personal data from consumers, enabling them to more easily comply with data deletion requests.

Repeal of Consumer Privacy Fund

The Governor signed identical bills SB 534 and HB 714, which alter the funding structure for enforcement of the VCDPA. While the original language of the VCDPA provided for the creation of a Consumer Privacy Fund, now all “civil penalties, expenses, and attorney fees collected pursuant to [the VCDPA] shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation and Enforcement Revolving Trust Fund.”4 This change pertains only to enforcement funding and does not affect company obligations under the law.

Expanded Definition of “Nonprofit Organization”

The aforementioned bills also amend the definition of “nonprofit organization” to include political organizations.5 As noted above, nonprofit organizations are exempt from compliance with the VCDPA. A “political organization” is defined by this amendment as:

“a party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.”6

Takeaways

With these amendments signed into law by Gov. Youngkin, the VCDPA text is likely final in advance of its January 1, 2023, effective date. Companies covered by the VCDPA should incorporate these amendments into their VCDPA compliance plans, taking measure of how features such as the new right to delete exemption (a feature present in Utah’s new law) will affect their practices. The changes do not greatly alter the VCDPA, only providing more business-friendly clarifications to an already business-friendly data privacy law.