This article will provide you an overview of what Virginia’s data privacy entails, and how it affects data subjects in Virginia and other states in the US. 

How does the VCDPA differ from the CCPA?

At just eight pages, the VCDPA is significantly more succinct than the California Consumer Privacy Act (CCPA). Experts such as Mark Smith, Bloomberg Law legal analyst, believe its brevity and clarity may result in the VCDPA becoming a model for future privacy legislation.

The VCDPA clearly defines whose personal data is covered, describing consumers as Virginia residents “acting only in an individual or household context.” It further clarifies that consumers are not those acting in a “commercial or employment context.” Unlike California, where the B2B and employee exclusions have been the subject of several statutory amendments, Virginia has chosen not to leave those potential compliance hurdles up in the air.

Additionally, businesses must satisfy one of the aforementioned thresholds to fall within the statute’s scope, and unlike California, the VCDPA makes no mention of a threshold based solely on annual gross revenue. Entities are not left to question whether the processing of data from a dozen or so consumers will subject them to the law.

Virginia’s law has no significant recordkeeping requirements, aside from documenting data protection assessments. If a business already has in place a GDPR- or CCPA-compliant process for receiving and responding to data subject or consumer access requests, that process should be sufficient to handle requests from Virginia residents.

What are some potential points for clarification in the VCDPA?

1. Applicability

The VCDPA applies to persons who “conduct business” in the Commonwealth or produce products or services that are “targeted” to residents of Virginia. The statute, however, does not define what “targeted” means.

2. Right to Delete

The VCDPA permits consumers to request the deletion of personal data, but it fails to set forth any specific exceptions to the right to delete.

3. Access and Data Portability

The VCDPA grants consumers a right to obtain a copy of their personal data, and it specifically indicates that the copy be provided “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance ….” But that provision also includes a modifier: “where the processing is carried out by automated means.” Experts say it’s not clear what, exactly, “automated means” modifies.

What are some limitations to the VCDPA?

The Virginia law has carve-outs for protected health information under the Health Insurance Portability and Accountability Act (HIPAA), as well as for personal data regulated by the Family Educational Rights and Privacy Act (FERPA). Those falling outside the scope of the law also include state agencies, nonprofit organizations, colleges and universities, and entities or data subject to Title V of the Gramm-Leach-Bliley Act, which largely regulates banks and other financial institutions.

Virginia residents won’t be able to directly sue over violations of the law. Enforcement will be left in the hands of the state attorney general, who can seek damages of up to $7,500 per violation.

A plus for business is the law’s 30-day cure period, which allows companies that receive letters alleging noncompliance to communicate with the attorney general’s office and remedy any potential violations before fines are imposed.

Additionally, unlike the CCPA, the Virginia data privacy law explicitly allows businesses to offer different prices and levels of service to consumers enrolled in loyalty programs without having to comply with certain obligations.

Like the California Consumer Privacy Act (the “CCPA”), the VCDPA can apply to businesses which are not headquartered or incorporated in Virginia, but which nonetheless do business there. The VCDPA applies to companies that:

Conduct business in Virginia or market their goods and services to Virginia residents; and

Either:

• Control or process the personal data of at least 100,000 Virginia residents; or
• Control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data.

What does the Virginia Consumer Data Protection Act protect?

The VCDPA also provides consumers with certain rights related to their personal data. Under the Act, these rights include:

• The right to know, access and confirm personal data.
• The right to delete personal data.
• The right to correct inaccuracies in personal data.
• The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company).
• The right to opt out of the processing of personal data for targeted advertising purposes.
• The right to opt out of the sale of personal data.
• The right to opt out of profiling based upon personal data.
• The right to not be discriminated against for exercising any of the foregoing rights.

Practically speaking, in order to comply with the VCDPA, companies need to inform consumers of their rights under the Act and create a process through which consumers can exercise those rights. The Act also implements other business obligations with regard to personal data. For example, companies subject to the Act must obtain consent prior to collecting and processing certain categories of sensitive personal data such as precise geolocation data, data about protected characteristics and genetic or biometric data. Like the CCPA, the VCDPA also requires that when a company uses service providers to process data on the company’s behalf, the company must enter into a special contract with that service provider which implements the requirements of the Act and makes clear the service provider’s responsibilities with respect to the personal data that they process.

Additionally, the VCDPA requires that companies only hold the pieces of data they need for a specific purpose and for only as long as is necessary to achieve that purpose; these principles are commonly referred to as purpose limitation and data minimization. The VCDPA also requires that companies implement and maintain reasonable data security practices to protect the confidentiality, integrity and accessibility of personal data. Although it is still unclear how this reasonableness standard will be enforced, a company’s data security measures are likely sufficient if they follow a recognized industry standard, taking into account the size and sophistication of the company and the personal data it processes. Finally, unlike the CCPA but like the European Union General Data Protection Regulation (the “GDPR”), the Act requires companies to conduct and document a data protection assessment when processing sensitive data or conducting certain activities with the personal data such as targeted advertising, selling or profiling.3

The VCDPA will be enforced by the Virginia Attorney General and allows for a 30-day cure period, but uncured non-compliance can result in a civil penalty of up to $7,500 per violation. Unlike the CCPA, the Act does not create a private right of action for citizens.