On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act ("VCDPA") into law. By enacting the VCDPA, Virginia becomes the second state nationwide to implement a comprehensive consumer data privacy law, following the California Consumer Privacy Act ("CCPA"). While the VCDPA is similar to the CCPA in many respects, the VCDPA has a different scope and different obligations than the CCPA. Accordingly, impacted businesses must conduct a separate scope analysis, and they will need to set up different business rules to comply with the VCDPA if they are subject to it.
APPLICATION
The VCDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either (i) control or process personal data of at least 100,000 consumers during a calendar year, or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. The VCDPA applies to information that is linked or reasonably linkable to an identified or identifiable person acting in an individual or household context. The law also provides special protections for sensitive data, which includes personal data including certain demographic, biometric, or location information, along with information on a known child.
However, the VCDPA does not apply to, among other things:
- financial institutions or data subject to the federal Gramm-Leach-Bliley Act;
- certain activities regulated by the Fair Credit Reporting Act;
- information on persons acting in a commercial or employment context;
- deidentified data; or
- publicly available information.
The VCDPA imposes different obligations depending on whether the business is a controller (the person that determines the purpose and means of processing personal data) or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is acting as a controller or a processor when engaging in any personal data processing.
CONSUMER RIGHTS
The VCDPA provides consumers with a number of rights related to their personal data, several of which are similar to rights available under the CCPA. Under the VCDPA, consumers have the right to:
- confirm whether or not a controller is processing personal data;
- access their personal data;
- correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for processing the personal data;
- delete personal data provided by or obtained about them;
- obtain a portable copy of personal data that they previously provided to the controller; and
- opt out of the processing of personal data for:
- targeted advertising,
- the sale of personal data, or
- profiling
CONTROLLER OBLIGATIONS
The VCDPA requires controllers to, among other things:
- limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such personal data is processed, as disclosed to the consumer;
- not process personal data for purposes that are not reasonably necessary or compatible with disclosed purposes, unless the controller obtains consumer consent;
- establish, implement, and maintain data security practices;
- not process personal data in violation of discrimination laws;
- not process sensitive personal data without consent; and
- clearly and conspicuously disclose if it sells personal data to third parties or processes personal data for targeted advertising and disclose the manner in which a consumer can exercise his or her opt-out rights.
Controllers must provide consumers with a that includes certain information about personal data processed by the controller.
The VCDPA requires a data protection assessment to identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. Controllers must conduct and document data protection assessments when engaging in the following activities:
- the processing of personal data for purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers;
- the processing of sensitive data; and
- any processing activities involving personal data that present a heightened risk of harm to consumers.
PROCESSOR OBLIGATIONS
A processor must follow a controller's instructions and must assist the controller in:
- responding to consumer rights;
- meeting breach notification obligations; and
- providing information to enable the controller to conduct and document data protection assessments.
There are also requirements for contracts between controllers and processors.
ENFORCEMENT
The Virginia attorney general has exclusive authority to enforce the VCDPA, and may seek civil penalties of up to $7,500 for each violation of the VCDPA, in addition to injunctive relief.
The VCDPA does not contain a private right of action.
EFFECTIVE DATE
The VCDPA will become effective on January 1, 2023.