Companies around the world have to comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to personal data of consumers in Virginia. With the VCDPA, Virginia follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) but excludes employee and business representative data from its scope.
Businesses that have implemented measures to comply with the CCPA can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the VCDPA. However, the VCDPA contain certain unique and prescriptive requirements that will require VCDPA-specific approaches to compliance. For example, the VCDPA requires businesses to obtain affirmative opt-in consent before processing sensitive personal data, and to conduct data protection assessments when processing sensitive data or conducting certain activities with the personal data such as targeted advertising, selling or profiling. Unlike the CCPA and other privacy laws, the VCDPA does not provide the Virginia Attorney General with rulemaking authority. Any changes to the VCDPA must be done via amendments by the legislature.
The VCPDA becomes effective 1 January 2023 and does not include a look-back period for violations.
Who and what data are protected?
The VCDPA protects "consumers", which the statute defines as Virginia residents acting in an individual or household context. Individuals acting in an employment or commercial context are expressly excluded from protection.
The VCDPA defines "personal data" to mean information that is linked or reasonably linkable to an identified or identifiable individual, but does not include data that is de-identified or publicly available. Unlike the CCPA, the VCDPA does not expressly protect the personal data of households.
The VCDPA includes exemptions for certain types of data and entities. These include exemptions for institutions governed by the Gramm-Leach-Bliley Act (GLBA) and certain data maintained by a public utility, employment records, protected health information processed by covered entities and business associates under the Health Insurance Portability and Accountability Act, and other types of information already regulated under other federal laws, including the GLBA, Family Educational Rights and Privacy Act, Fair Credit Reporting Act, and Children's Online Privacy Protection Act (COPPA).
Who must comply?
Unless an exemption applies, the VCDPA applies to "controllers" and "processors" that conduct business in Virginia or sell products or services intentionally targeted to residents of Virginia, and meet either of the following thresholds: the business (i) controls or processes personal data of 100,000 or more consumers during a calendar year; or (ii) controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.
"Controller" is analogous to a "business" under the CCPA and is defined as a person that, alone or jointly with others, determines the purposes for and means of processing personal data. "Processor" is analogous to a "service provider" under the CCPA and is defined as a person who processes personal data on behalf of a controller. To qualify as a "processor" under the VCDPA, a company has to process personal data on behalf of a controller. The VCDPA mandates that processors adhere to the controller's instructions and assist the controller with complying with the controller's own obligations, and the two parties must enter into an agreement with certain terms prescribed by the VCDPA.
How to comply?
Privacy Notices. Under the VCDPA, controllers must provide privacy notices that include: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their rights, including the controller's contact information and how a consumer may appeal a controller's decision with regard to a consumer's request; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data. Unlike the CCPA, the VCDPA does not expressly require that privacy notices be issued prior to collection and they do not need to include certain elements required by the CCPA such as information on sources of personal data, processes that the controller follows to verify requests, or information on financial incentives offered in exchange for the collection, retention or sale of personal information. Nevertheless, and depending on what notices a business currently issues and what they cover, many businesses can leverage current privacy notices to comply with the VCDPA by updating such notices to include statements regarding the right under the VCDPA to appeal a controller's decision with respect to data subject requests.
The VCDPA also requires controllers that "sell" personal data to third parties or process personal data for targeted advertising to clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing. Unlike the CCPA, the VCDPA definition of "sale" of personal data is limited to an exchange of personal data for monetary consideration. The VCDPA also excludes certain types of disclosures from being a "sale" of personal data, such as disclosures to a processor to process the personal data for the controller, disclosures of personal data to a third party for the purpose of providing a product or service requested by the consumer, disclosures to an affiliate of a controller, disclosures to third parties as part of a merger or similar transaction, or disclosures of personal data intentionally made available by a consumer to the general public or mass media channels.
Sensitive Data. Unlike the CCPA, which will introduce an "opt-out" regime for the processing of sensitive personal information beyond certain authorized purposes, the VCDPA requires consumers to "opt-in" to the processing of their sensitive data.
The VCDPA defines "sensitive data" to mean certain prescribed categories of data, including personal data that reveals an individual's race, ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status; personal data from a known child (under 13); the processing of genetic or biometric data for the purpose of uniquely identifying an individual; and precise geolocation data.
In practice, fitness trackers, delivery app services, and other businesses that provide recommendations and/or services based on a consumer's precise location must ensure that they obtain opt-in consent from users before processing such personal data. When dealing with children's data, companies must obtain consent from parents or guardians in accordance with the verifiable parental consent requirements of COPPA.
Technical and Organizational Measures, Assessments. The VCDPA requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices, and to conduct and document data protection assessments before engaging in any processing activity that presents a heightened risk of harm to a consumer. The VCDPA considers processing for purposes of targeted advertising or profiling, selling personal data, and processing sensitive data to be activities that typically present a heightened risk of harm to consumers.
The CCPA did not initially contain such an assessment requirement, but the California Privacy Protection Agency is tasked under the CCPA with issuing regulations that will require audits and risk assessments as well. Companies should be able to leverage assessments performed under the VCDPA to comply with CCPA and other US state privacy statutes.
Data Processing Agreements. Before a processor performs any processing on behalf of a controller, the parties must enter into a contract that includes terms similar to those required under other US state privacy laws (and the GDPR), including the controller's instructions for processing and requirements that the processor shall (1) keep the personal data confidential; (2) delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (3) on request, make data available to the controller; (4) cooperate with third party assessments; and (5) conclude similar agreements with subcontractors. Data processors must adhere to controllers' instructions and use appropriate technical and organizational measures to assist controllers in meeting their obligations under the VCDPA. Businesses should continue to update their contracts while keeping standardization in mind where possible (see Standardizing data-processing agreements globally).
Data Subject Rights. Under the VCDPA, consumers have the right to know whether a controller is collecting their personal data, to access their collected personal data, to download and remove personal data from a platform in a format that allows the transfer to another, and to correct and delete personal data held on them. Consumers also have the right to opt-out of the sale of their personal data, or use of their personal data for targeted advertising and certain types of profiling.
Responding to Data Subject Rights Requests. To exercise one's rights, the VCDPA allows consumers to, once they have been authenticated, receive responses to consumer requests without undue delay but in any case within 45 days of receipt of the request. Controllers may extend this time period by another 45 days where reasonably necessary, and the consumer will ultimately have the ability to appeal any decision made by the controller under the controller's appeal process (which the VCDPA requires controllers to put into place). The appeals process must provide the consumer with an appellate response within 60 days and must provide consumer information on how to contact the Virginia Attorney General if the consumer has concerns about the results of any appeal. This contrasts with the CCPA, which does not mandate an appeals process.
Sanctions and remedies. Unlike the CCPA, there is no private right of action provided by the VCDPA, but the Virginia Attorney General can bring a civil action for an injunction or penalties of not more than USD 7,500 per violation. The Virginia Attorney General must first issue a notice of violation to a controller and allow a 60-day cure period before pursuing an enforcement action. Similar to the CCPA, the VCDPA creates a consumer privacy fund that will support actions by the Virginia Attorney General to enforce the VCDPA.