An Overview of The Virginia Consumer Data Protection Act (VCDPA)

The United States does not yet have a federal privacy law, but led by California more states are getting on board with their own. Virginia was the second state to pass consumer privacy legislation, followed by Colorado. We can already see how technology, global business and the law continue to evolve. Virginia’s law is clearly influenced by California and the European Union, and has influenced states like Connecticut and Utah in turn.

Read on to learn more about these questions and much more:

• What and who does the VCDPA cover?
• How does the VCDPA compare to other state or federal laws on consumer data protection?
• What does the VCDPA mean for consumers and businesses?
• How do affected organizations need to prioritize competing privacy compliance requirements?

The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021, and takes effect January 1st, 2023, the same day as California’s Consumer Privacy Rights Act (CPRA).

Virginia was the second state after California to sign a state-wide privacy act into law. The VDCPA takes some influence from California’s CPRA and the earlier California Consumer Privacy Act (CCPA) as well as the European Union’s General Data Protection Regulation (GDPR), but it is by no means a “copy cat” law.

Attitudes toward privacy and personal data are changing around the world, and technology continues to evolve. It has become increasingly accepted that people have rights to information about them and how it can be used. Laws like the VCDPA are intended to clarify and enshrine those rights, as well as organizations’ responsibilities in protecting them. It’s also intended to set up a framework to enable maintenance of these provisions as data sources, technology, regulations, and social attitudes evolve.

If the United States had a federal-level data privacy law, the state-level Virginia privacy law might not be needed (or the other state-level laws passed to date), but in the absence of a federal law, each state has to tackle data privacy for its residents’ protection. The five states that have passed privacy laws to date have taken content and influence from each other for their laws, so none of them have started entirely from scratch. Even California, which passed the first privacy law in the US, took influence from Europe’s GDPR and other existing privacy laws.

The VCDPA affects companies that do business in Virginia, or that produce products or services targeted to residents of Virginia. Companies do not have to be headquartered in the state to be affected.

The Virginia privacy law includes fair information practice principles (FIPPs). Foremost among these is to have a specific, disclosed purpose for collecting personal data, and limiting collection of that data to what is reasonably necessary to fulfill that purpose. It also imposes limitations on use and prohibits processing that isn’t reasonably necessary or compatible with the purposes that have been communicated to consumers.

In addition to notifying consumers about the types of data processed and purposes of processing, companies need to communicate consumers’ rights and the process to exercise them (as well as set up that process).

Consumers’ consent does not have to be obtained for personal data collection or processing in most cases, but it is where sensitive personal data is concerned. Consumers also have the right to opt out of data collection and processing of their data for sale, targeted advertising, or profiling, so companies must provide a clear mechanism to do that.

Companies also need to have reasonable security practices to protect “confidentiality, integrity and accessibility of personal data”, and communicate to consumers what these practices are.

The VCDPA is a state-level privacy law that protects personal data belonging to consumers who are residents of Virginia. Consumers in this context refers to natural persons, or people acting as representatives of households. Like some of the other state laws, the VCDPA does not include a natural person acting in a commercial or employment context.

For-profit entities that are subject to Virginia’s data privacy law are referred to as the data “controller”, which is a term also used in the GDPR, meaning: “…the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.” Closely tied to the controller is the “processor”, defined as: “a person or entity that “processes personal data on behalf of a controller.” So a controller may do their own data processing, or another party, like a vendor, may act as the processor and do it for them. Such a relationship includes data safeguards and contractual requirements.

Another key definition in the VCDPA is that of “processing”, which refers to whatever is being done with or to consumers’ data: “…any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”

The VCDPA governs the collection and processing of consumers’ data, including their consent to its use (or opt out of that) and requests relating to their rights to it.

All current privacy laws have generally consistent definitions of what constitutes personal data or information, but there are a number of variations at the granular level. See Personally Identifiable Information (PII) vs. Personal Data – What’s the difference? There’s also linked vs. linkable personal information, definitions that depend on how many combined data points are needed to establish an individual’s identity.

Some laws have further defined “sensitive personal data”. This data can establish identity usually with a single data point, or due to the nature of it it can be more easily used to cause harm to an individual if stolen or misused.

Under Virginia’s privacy law, the following categories qualify as sensitive personal data:

• Collected from a known child under the age of 13 [consent to process this data must come from a parent or legal guardian, in line with the requirements of the Children’s Online Privacy Protection Act (COPPA)]
• Genetic or biometric data, if processed for the purpose of identifying an individual
• Geolocation data, precise to within a radius of 1,750 feet
• Citizenship or immigration status
• Racial or ethnic origin
• Religious beliefs
• Sexual orientation or activities
• Health diagnosis (mental or physical)

“Sale” is defined as “the exchange of personal data for monetary consideration by the controller to a third party”.

Like Utah’s law, this definition excludes “other valuable consideration” options as a sale, as well as these types of transactions that disclose personal data:

• to a processor working on behalf of the controller
• to a third party as part of a merger, acquisition, bankruptcy, or other transaction
• to a third party to provide a product or service that the consumer has requested
• to an affiliate of the controller
• that the consumer intentionally made public without restriction (e.g. social media with minimal or no privacy settings)

The VCDPA gives consumers several key rights:

• to inquire if a controller is processing their personal data, and receive confirmation if it is
• to receive access to their personal data, provided by the controller, if it is being processed
• to request and be provided with a copy of their personal data in a portable and usable format, with considerations for the “reasonableness” of the volume and frequency of requests
• to have inaccuracies in their data corrected
• to have their data deleted upon request, if it was provided by the consumer or was obtained about them
• to opt out of having their data processed for the purposes of:
  • targeted advertising
  • profiling for decisions that would affect the consumer in a legal or similarly significant way
    sale
• to not be discriminated against by the processor for exercising any of their rights

Ensuring that these rights are addressed in a company’s compliance efforts goes a long way to answering the question of “How can I make sure that my business is compliant with the VCDPA?”

However, on the consumer side, “How can I exercise my rights under the VCDPA as a Virginia consumer?” is an equally important question. Companies not only have to notify consumers about their rights, but also how to exercise them. This is commonly done with contact information supplied in the privacy policy page or similar. However, for alleged violations or similar complaints, consumers will have to contact the Virginia Attorney General’s office, which handles investigations.

One interesting omission is that under Virginia’s data privacy law consumers do not have to be separately or explicitly notified when data is collected (unless it’s classified as “sensitive”), which differs from the California laws. When companies don’t need to obtain consent, for example, they can be compliant with VCDPA requirements for notification with information posted to their website, like in the privacy policy.

Under the VCDPA there is no private right of action, which means that consumers cannot sue companies (or controllers) for alleged violations of the VCDPA. To date only California has provided this right.

Complaints would have to be directed to the Virginia Attorney General, who will have responsibility for investigating allegations of violations and enforcing the law.

Violations of the VCDPA can result in fines up to $7500 per violation, levied by the Virginia Attorney General. This is consistent with fines under the California and Utah laws, though potentially much less than the fines that can be levied under the GDPR, which can be up to 20 million Euros or four percent of annual revenue, whichever is higher.

The Attorney General has to provide companies with 30 days’ notice of a violation and “opportunity to cure”, which means to correct issues that led to the violation, and possible recurrence of the violation, before fines can be levied.

Outside of “official” penalties, however, companies accused of breaches or other violations can lose considerable brand reputation, affecting customer acquisition, retention, and revenues.

The VCDPA affects companies that are for-profit and doing business in Virginia or producing products and services for consumers who are Virginia residents. If they:

• control or process personal data of 100,000 or more consumers during a calendar year, or
• control or process personal data of 25,000 or more consumers and derive over 50 percent of their gross revenue from the sale of that personal data

These requirements differ from the California laws in that a company’s gross annual revenue is not a criterion on its own (US $25 million is used in some other laws) and gross revenue from the sale of personal data is tied to a threshold number of consumers. In some other laws the requirement is only earning at least half of their annual revenue from the sale of personal data, but there isn’t a threshold number of consumers tied to it.

The duties of controllers under the VCDPA are:

• To set up and maintain administrative, technical, and physical data security practices that are reasonable and appropriate to the amount and types of personal data processed in order to protect confidentiality, integrity and accessibility of personal data.
• To respond to consumer requests regarding their data within 45 days of receipt of the request (in some cases the response period can be extended by an additional 45 days).
• To set up a process for consumers to appeal refusal by the controller to take action on consumer requests.
• To limit collection of consumers’ personal data to what is “adequate, relevant, and reasonably necessary” for the purposes that the data is being processed, as disclosed to consumers.
• To not process personal data for purposes other than those disclosed to consumers, and that are not reasonably necessary nor compatible with previously disclosed purposes, unless consumer consent has been obtained, and with certain exceptions.
• To not discriminate against consumers by processing personal data in violation of relevant state and federal laws.
• To ensure that agreements with processors do not purport to waive or limit in any way consumer rights.
• To notify the consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
  • the categories of personal data processed by the controller
  • the purpose for processing personal data
  • how consumers can exercise their rights including appeal proceedings
  • categories of personal data that the controller shares with third parties, if any
  • the categories of third parties if any, with whom the controller shares personal data
• To clearly and conspicuously disclose processing if it sells personal data to third parties or processes personal data for targeted advertising or profiling, as well as the manner in which a consumer may exercise the right to opt out of these sales or uses.
• To establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their rights.

Regarding de-identified (anonymized) data, under the VCDPA controllers have several protective duties:

• to take reasonable measures to ensure it can’t be associated with an individual (natural person)
• to commit publicly to abstaining from attempting to re-identify the data
• to contractually obligate recipients of de-identified data to comply with VCDPA requirements.

Under Virginia’s privacy law, while controllers have responsibilities to consumers, they also need to have contractual agreements with processors. This is similar to requirements under the GDPR, to ensure that only necessary data is processed, and only those who need access to the data have it. Additionally, they must also be properly trained in handling and security.

A controller/processor agreement should cover:

• rights and obligations of both the controller and processor
• type of data to be processed
• nature and purpose of processing
• duration of processing

Any agreement should also ensure that any processor:

• ensures that each person processing personal data is subject to a duty of confidentiality regarding the data
• upon reasonable request provides all information in its possession to demonstrate compliance with its obligations
• at the controller’s direction, returns or deletes all personal data once services provided are completed (unless retention is required by law)
• cooperates with the controller’s or controller’s designated assessors’ assessments of the processor’s policies and organizational or technical measures for compliance
• engages with subcontractors, which meet the obligations of the processor with respect to the personal data in a written form.

Under the VCDPA, consumer consent is required before a controller can process their personal data for specific purposes, like when the data is sensitive or belongs to a child. Formal consent is required, including consumer opt-in, and the creation of a Data Protection Assessment (DPA) is needed when any of the criteria listed below take place.

A DPA identifies and weighs the benefits and risks of personal data processing for the controller, consumer, other stakeholders, and the public more broadly. The risks, it should be noted, are mainly for affected consumers. A DPA also includes safeguards to mitigate identified risks to processing the data.

Companies need a DPA if they engage in any of the following activities regarding personal data:

• sale
• processing of sensitive personal data
• processing of personal data presenting a heightened risk of harm to consumers
• processing for targeted advertising purposes
• profiling, if there is a reasonable risk of
  • unfair or deceptive treatment of consumers, or unlawful disparate impact on them
  • financial, physical, or reputational injury to consumers
  • reasonably offensive intrusion on the solitude or private affairs of consumers
  • other substantial injury to consumers

Controllers are also responsible for having a privacy notice, e.g. on a privacy policy page, under the VCDPA, which needs to be in clear language, prominently displayed and accessible, and include:

• categories of personal data the controller will process
• categories of personal data the controller shares with third parties, if any
• categories of third parties with whom the controller will share personal data, if any
• purpose of the data processing
• disclosure regarding data processing for sale, targeted advertising purposes, or profiling, and instructions to enable consumers to opt out

Controllers also need to provide means by which consumers can exercise their rights under Virginia’s data privacy law and communicate with the controller. These means need to be “secure and reliable” and have to take into account ways in which the controller and consumers normally interact. Using a link on a website would be reasonable, for example, but a long, bureaucratic process would not.

Controllers also need to be able to authenticate consumers’ identities if they make requests, but can’t require consumers to create new accounts in order to make those requests.

In addition to companies that do not meet the data or revenue criteria listed above, the following types of businesses do not have to comply with the VCDPA:

• bodies, authorities, boards, bureaus, commissions, districts, or agencies of the Commonwealth of Virginia or political subdivision of the Commonwealth
• financial institutions or data that are subject to Title V of the federal Gramm-Leach-Bliley Act (which requires companies to safeguard consumers’ sensitive data and explain their information-sharing practices)
• covered entities or business associates governed by the Health Information Technology for Economic and Clinical Health Act (HITECH)
• nonprofit organizations
• institutions of higher learning

Not all processed consumer data is subject to the VCDPA, and exemptions can be full or partial. Exemptions include personal data that is:

• publicly available
• de-identified (anonymized)
• regulated by existing laws, including:
  • consumer credit check information under the Fair Credit Reporting Act (FCRA)
  • Student data regulated by the Family Educational Rights and Privacy Act (FERPA)
  • Driver’s Privacy Protection Act
  • Farm Credit Act
  • patient and health information, as well as covered entities and business associates, governed by the Health Insurance Portability and Accountability Act (HIPAA) and other laws
• of employees, independent contractors, and applicants, including data collected and used in the context of those roles

In this way Virginia’s privacy law differs a fair bit from the California laws and the GDPR, as they have fewer specific exemptions based on existing laws of more limited scope. These exemptions are similar to those of Utah, Connecticut and Colorado’s laws, however.

The Virginia data privacy law has more limitations in its scope than the California laws or GDPR, particularly regarding VCDPA compliance with existing laws at varying levels. Not limiting processing of consumers’ personal data for operations “reasonably aligned with the expectations of the consumer”, also leaves a fair bit of room for interpretation.

Under the VCDPA controllers do not have to provide a “clear and conspicuous link” to enable consumers to opt out of the sale of their data, commonly referred to as a “Do Not Sell” button, as is required in California.

Controllers and processors do, however, have the comply with the following:

• processing for certain business purposes, e.g. product recalls
• federal, state, and local laws and regulations
• criminal, civil, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities
• investigation of, preparation for, or defense against legal claims
• cooperation with law enforcement agencies regarding conduct or activities that processors reasonably believe may violate federal, state, and local laws and regulations
• provide a product or service, perform a contract to which the customer is a party, or take steps as specifically requested by the consumer prior to entering into a contract
• respond to security issues or potential illegal activity
• take immediate steps for the life and safety of individuals
• conducting research in public interest (under certain conditions)

Like the other US state-level laws, the VCDPA uses an opt-out model where consent is not needed, rather than an opt-in model like with the EU’s GDPR. This provides more access to data and in many cases, fewer restrictions on its use. Like pretty much all privacy laws, the VCDPA does require notification of consumers about data collected, its purposes, etc.

Like all of the state-level laws except California, Virginia’s privacy law is in its first version, and is expected to be amended over time once lawmakers see how it is working and where there are issues. Changes in data sources, technology, and other concerns will also likely have an influence. It is not known exactly how it would affect state-level laws if a federal data protection law is eventually passed in the US, though it would supersede state-level law in at least some ways, presumably, and there would likely be more centralized enforcement.

Compliance with a single law, rather than potentially 50+ state- and territory-level laws would certainly be much more straightforward for entities doing business in and around the United States. One federal-level influence already in place is that the VCDPA, like some of the other state-level laws, requires following the Children’s Online Privacy Protection Act (COPPA) where the collection and/or processing of children’s data is concerned. Also, some of the exemptions to VCDPA compliance are with other federal level acts.

The VCDPA does not enable consumers to sue companies in the event of an alleged breach or violation, so enforcement is limited to the actions of the Virginia Attorney General. This is similar to all the other US state-level laws to date except California’s. Utah and Connecticut also place enforcement in the hands of the Attorney General’s office.

For companies already working to comply with, or in compliance with the CCPA/CPRA or even GDPR, VCDPA compliance should require a limited amount of work. Like Utah’s Data Privacy Act (UDPA), Virginia’s Attorney General has referred to the VCDPA as a work in progress. Amendments over time are likely, especially given that the law mandates a working group to review it and implementation issues.

The Virginia Consumer Data Protection Act provides a number of new consumer rights, as well as companies’ requirements for notification and circumstances under which consent must be obtained before collecting and processing data. Consulting qualified legal counsel is recommended to determine your organization’s potential responsibilities and actions needed to ensure VCDPA privacy compliance when the law comes into effect. Proactive efforts to protect user privacy are also always a good idea to help build user trust and secure high-quality data for marketing operations.

Consult one of our experts to help ensure your company’s data compliance and happy customers.