In the midst of what is becoming a national patchwork of data privacy laws,¹ on March 2, 2021 Virginia became the second state to enact a comprehensive data privacy law.² Although the Virginia Consumer Data Protection Act (the “VCDPA” or the “Act”) does not become effective until January 1, 2023, we thought it would be worthwhile to explore its major provisions in order to allow companies to begin preparing for compliance.

Like the California Consumer Privacy Act (the “CCPA”), the VCDPA can apply to businesses which are not headquartered or incorporated in Virginia, but which nonetheless do business there. The VCDPA applies to companies that:

1. Conduct business in Virginia or market their goods and services to Virginia residents; and
2. Either:
   1. Control or process the personal data of at least 100,000 Virginia residents; or
   2. Control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data.

The VCDPA also provides consumers with certain rights related to their personal data. Under the Act, these rights include:

1. The right to know, access and confirm personal data.
2. The right to delete personal data.
3. The right to correct inaccuracies in personal data.
4. The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company).
5. The right to opt out of the processing of personal data for targeted advertising purposes.
6. The right to opt out of the sale of personal data.
7. The right to opt out of profiling based upon personal data.
8. The right to not be discriminated against for exercising any of the foregoing rights.

Practically speaking, in order to comply with the VCDPA, companies need to inform consumers of their rights under the Act and create a process through which consumers can exercise those rights. The Act also implements other business obligations with regard to personal data. For example, companies subject to the Act must obtain consent prior to collecting and processing certain categories of sensitive personal data such as precise geolocation data, data about protected characteristics and genetic or biometric data. Like the CCPA, the VCDPA also requires that when a company uses service providers to process data on the company’s behalf, the company must enter into a special contract with that service provider which implements the requirements of the Act and makes clear the service provider’s responsibilities with respect to the personal data that they process.

Additionally, the VCDPA requires that companies only hold the pieces of data they need for a specific purpose and for only as long as is necessary to achieve that purpose; these principles are commonly referred to as purpose limitation and data minimization. The VCDPA also requires that companies implement and maintain reasonable data security practices to protect the confidentiality, integrity and accessibility of personal data. Although it is still unclear how this reasonableness standard will be enforced, a company’s data security measures are likely sufficient if they follow a recognized industry standard, taking into account the size and sophistication of the company and the personal data it processes. Finally, unlike the CCPA but like the European Union General Data Protection Regulation (the “GDPR”), the Act requires companies to conduct and document a data protection assessment when processing sensitive data or conducting certain activities with the personal data such as targeted advertising, selling or profiling.³

The VCDPA will be enforced by the Virginia Attorney General and allows for a 30-day cure period, but uncured non-compliance can result in a civil penalty of up to $7,500 per violation. Unlike the CCPA, the Act does not create a private right of action for citizens.

In order to prepare for enforcement of the VCDPA, we recommend that companies review their personal data processing activities, data security measures, privacy policies and service provider contracts. We also recommend considering an overall strategy for fulfilling requests by consumers who wish to exercise their rights under either the CCPA or the VCDPA.

¹ For an in depth look at the current status of various state law data privacy bills, see https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.

² It is worth mentioning that Nevada and Maine have both enacted data privacy laws, but they are not considered “comprehensive,” as that term is used by the International Association of Privacy Professionals.

³ Under the GDPR, these are known as Data Privacy Impact Assessments (DPIAs) and are similarly only required when a company is engaging in higher risk data processing activities.