On January 1st of this year, Virginia’s Consumer Data Protection Act (VCDPA) took effect. Much like the California Consumer Privacy Act (CCPA), which has been effective since 2020, the VCDPA creates a host of protections for individuals to take more control over their personal data. In turn, the Act creates a number of new obligations for businesses who have customers in Virginia. It’s important for businesses to be aware of these new data privacy requirements, and it’s likely more states will enact similar legislation in the near future.

What business must comply with the VCDPA?

To fall under the scope of the VCDPA, anyone doing business in Virginia must satisfy one of two thresholds. Either an entity controls or processes:

1. the personal data of at least 100,000 consumers in a calendar year, or
2. the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.

In essence, large entities (those that control or process data for over 100,000 user per year) and smaller entities that sell a lot of personal data fall under the scope of the new VCDPA.

The Act also features several carveouts: state agencies, nonprofit organizations, colleges and universities, and entities subject to Title V of the Gramm-Leach-Bliley Act (GLBA), which regulates banks and other financial institutions, are not subject to the provisions of the VCDPA. Moreover, certain types of data, like protected health information that is protected and regulated under HIPAA, are not subject to the VCDPA.

What rights does the VCDPA provide users?

The VCDPA creates the following rights for users:

• The right to know, access and confirm personal data
• The right to delete personal data
• The right to correct inaccuracies in personal data
• The right to data portability
• The right to opt out of the processing of personal data for targeted advertising purposes
• The right to opt out of the sale of personal data
• The right to opt out of profiling based upon personal data
• The right to not be discriminated against for exercising any of the foregoing rights

Along with borrowing much from the CCPA, the VCDPA also borrows from the European Union’s General Data Protection Regulation (GDPR). The VCDPA gives users the right to not only know what data of theirs is being processed and the chance to opt of such processing (CCPA), but the right to correct inaccuracies (GDPR). Also like the GDPR, the VCDPA requires companies to enter into contracts with third-parties who handle their users’ personal data to ensure the third-party processor is following the mandates of the Act.

Finally, the VCDPA includes in the definition of ‘personal data’ biometric data and imposes restrictions on the collection and processing of biometric data much like those found in the Illinois Biometric Information Privacy Act. In many ways, the VCDPA is a collection of current privacy efforts and will likely serve as a model for future state laws. 

Can you be sued for violation of the VCDPA?

There is no private cause of action for an individual to sue under the VCDPA. However, the Virginia Attorney General may request a copy of your data protection assessment (see below) at any time, and the statute gives controllers an express 30-day period to cure any failures under the statute to avoid the filing of a civil complaint by the Attorney General. The Attorney General can seek damages of up to $7,500 per violation.

How can I comply with the VCDPA?

If you are subject to the VCDPA, you must:

• obtain consent prior to collecting and processing certain categories of sensitive personal data such as precise geolocation data, data about protected characteristics and genetic or biometric data;
• contract with third parties who collect and/or process your users personal data to make clear their responsibilities under the Act regarding the personal data they handle;
• only hold data you need for a specific purpose and for only as long as is necessary to achieve that purpose;
• implement and maintainreasonabledata security practices to protect the confidentiality, integrity and accessibility of personal data; and
• conduct and document a data protection assessment when processing sensitive data or conducting certain activities with the personal data such as targeted advertising, selling or profiling.

Given the complexities of the requirements of the VCDPA, it is important to consult with attorneys who are experts in data privacy law. More and more states are passing data privacy statutes—the Connecticut Data Privacy Act goes into effect on July 1, 2023 and the Colorado Privacy Act goes into effect on July 1, 2024—and the landscape is changing quickly. The team at Revision Legal can help you navigate this space and craft privacy policies and best practices curated specifically for your business and its needs.