Last year, Virginia became the second state (after California) to enact a consumer privacy law. That law, the Virginia Consumer Data Protection Act (VCDPA), went into effect on January 1, 2023.

Though the new law is modeled after the California Consumer Privacy Act of 2018 (CCPA), it stops short of the sweeping protections in the California law because it excludes employee and business representative data. However, businesses must still be mindful of the obligations the new Virginia law creates.

Here are the key provisions of the VCPDA that businesses need to understand.

Who does the VCDPA protect?

The VCDPA protects “consumers,” defined as Virginia residents acting in an individual or household context. The law excludes individuals acting in an employment or commercial context from protection.

Under the VCDPA, consumers have the right to know whether controllers — the companies that determine why and how to process personal data — are processing their personal data.

Consumers also have the right to access, correct inaccuracies in, and delete their personal data. Additionally, the law affords them the right to download a portable copy of their data in a format that allows them to transmit the data to another controller. Consumers also can opt out of the sale and use of their data for targeted advertising or profiling that has a “legal or similarly significant effect” on them.

What data does the VCDPA safeguard?

The VCDPA defines “personal data” as any information linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include any publicly available or de-identified data, which is any data that cannot be linked to a person.

The law also exempts certain types of data from its coverage. The law does not apply to data held by a public utility, employment records, protected health information processed by covered entities and business associates under the Health Information Portability and Accountability Act (HIPAA), and other types of information already regulated under other federal laws, including the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), and the Farm Credit Act.

Who is subject to the VCDPA?

The VCDPA applies to controllers — a company that determines the purposes for and means of processing personal data — and processors — a company that processes personal data on behalf of a controller — that meet two requirements:

1. They conduct business in Virginia or sell products or services intentionally targeted to Virginia residents.
2. They control or process the personal data of 100,000 or more consumers during a calendar year or control or process the personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Nonprofits, public companies, and higher education institutions are exempt from the law, as are financial institutions regulated by the GLBA and some healthcare entities that fall under HIPAA.

What steps should businesses take to comply with the VCDPA?

In addition to limiting the collection of data to what is “adequate, relevant, and reasonably necessary” for business purposes, the VCDPA requires businesses to take several steps to ensure compliance to avoid injunctions and penalties of up to $7,500 per violation.

1. Issuing a privacy notice

Controllers must prepare a privacy notice that explains to consumers what data they are collecting and why they are collecting it. The notice must also explain how consumers can exercise their rights, including their right to appeal. This means controllers must share their contact information. The notice must also detail whether the company shares any of the collected personal data with third parties, explaining the categories of data shared and describing the categories of the third parties.

Any controller that sells personal data to third parties or that processes personal data for targeted advertising must disclose these practices and explain how consumers can opt out of this processing. Note that the VCDPA defines the “sale” of personal data as the exchange of data for monetary consideration. It does not consider a “sale” to include disclosing personal data to a processor that processes the personal data on the controller’s behalf, disclosing or transferring data to a third party to provide a product or service requested by a consumer, disclosing or transferring personal data to an affiliate of the controller, disclosing data as part of a transaction like a merger or acquisition, or disclosing personal data that consumers have intentionally made available to the public through mass media.

2. Requiring consumers to opt-in before processing sensitive data

Consumers must consent before a controller can process their sensitive personal information. The law defines “sensitive data” as follows:

• Personal data that reveals an individual’s race, ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status
• Personal data that comes from a child under 13
• Genetic or biometric data processed to identify an individual
• Precise geolocation data

Businesses such as delivery app services, fitness trackers, and location-based services must obtain consumers’ opt-in consent before processing personal data. They must also obtain consent from parents or guardians in compliance with COPPA before processing a minor’s data.

3. Implementing data security practices

Controllers should implement “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” These practices must be “appropriate to the volume and nature of the personal data at issue.”

Before processing data, companies must also conduct a data protection assessment for processing personal data for targeted advertising, selling personal data, processing personal data for profiling if it presents a risk of unfair treatment or injury to consumers, processing of sensitive data, and processing activities that present a “heightened risk of harm” to consumers. The assessment should weigh the benefits of processing to controllers, consumers, other stakeholders, and the public against the potential risks to consumers. It should also determine whether any risks can be mitigated by safeguards. Using de-identified data and meeting consumers’ reasonable expectations should be factored into the assessment.

The attorney general may request controllers to produce their data protection assessments in an investigation. However, these assessments are exempt from FOIA requests.

4. Signing a data processing arrangement

Before a processor processes data on a controller’s behalf — including the collection, use, storage, disclosure, analysis, deletion, or modification of personal data — the controller and processor must enter a contract with five requirements:

1. Keeping the data confidential
2. Deleting or returning all personal data to the controller at the end of the relationship except as required by law
3. Making data available to the controller upon request
4. Cooperating with third-party assessments
5. Creating similar agreements with any subcontractors

All processors must follow controllers’ instructions and help controllers meet their obligations under the VCDPA.

5. Responding to data subject requests

When a controller receives a request from a consumer, it must respond within 45 days. This deadline may be extended another 45 days if the controller timely notifies the consumer of the need for the extension.

If the controller decides not to take action on a request, it must notify the consumer within 45 days. If the controller provides information, it must be given free of charge to the consumer up to twice a year. The controller may charge a reasonable administrative fee to cover the costs of complying with or declining the request.

Consumers have the right to appeal a controller’s refusal to act on their request. The controller must establish an appeal process that ensures a written response, with an explanation, to consumers within 60 days of receipt of the appeal. The controller must also establish an online mechanism for contacting the attorney general to submit a complaint if the appeal is denied.

The impact of the VCDPA

The VCDPA is the latest in Virginia’s patchwork of privacy laws, which include the Personal Information Privacy Act addressing limitations on merchants’ use of personal data, the Insurance Data Security Act governing insurers, and the Data Breach Notification Law, which requires businesses and government agencies to notify residents of any breach that could lead to fraud or identity theft.

Organizations subject to the law should review their data collection and processing protocols. They should also update their privacy policies, create a procedure for handling consumer requests and appeals, and begin conducting data protection assessments.

[View source.]