Following in the footsteps of the California Consumer Privacy Act (CCPA), the Commonwealth of Virginia has become the second U.S. state to enact comprehensive consumer data protection legislation. The Virginia Consumer Data Protection Act (VCDPA) was signed into law by Governor Ralph Northam yesterday on March 2, 2021. The VCDPA will become effective on January 1, 2023, right alongside the recently enacted California Privacy Rights Act (CPRA), which significantly amended the CCPA (additional information on the CPRA can be found here). The following is a brief description of the VCDPA’s key components. Keep an eye out for a forthcoming article outlining the most important differences between the VCDPA and the CPRA.
Who Is Required to Comply?
Controllers and Processors
The VCDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:
- during a calendar year, control or process personal data of at least 100,000 Virginia residents; or
- control or process personal data of at least 25,000 Virginia residents and derive more than 50 percent of gross revenue from the sale of personal data. § 59.1-572.A
Like the European Union’s General Data Protection Regulation (GDPR), the VCDPA distinguishes between controllers and processors:
- A controller is the natural or legal person that, alone or jointly with others, determines the purpose and means (i.e., the why and the how) of processing personal data. § 59.1-571
- A processor is the natural or legal entity that processes personal data on behalf of the controller. § 59.1-571
Statutory Exemptions
Through the definition of “consumer” and other provisions, the VCDPA generally does not apply to information about a natural person acting in a commercial (B2B) or employment context (including emergency contact information and benefits information). §§ 59.1-571; 59.1-572.C.14. It is important to note that unlike the CCPA, there is no sunset period for this exemption.
The VCDPA further does not apply to (i) non-profit organizations; (ii) institutions of higher education; (iii) Virginia government entities; (iv) financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); (v) covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA), nor any protected health information under HIPAA and certain other regulated health information; and (vi) processing of information pursuant to the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), Family Educational Rights and Privacy Act (FERPA), and Farm Credit Act (FCA). § 59.1-572
The VCDPA also contains a number of additional limitations on the authority of the VCDPA that are beyond the scope of this article. § 59.1-578
What Information Is Protected?
Personal Data
The VCDPA protects “Personal Data,” which is defined broadly to mean any information that is linked or reasonably linkable to an identified or identifiable natural person. § 59.1-571
The Act delineates “Sensitive Data” as a separate category of personal data, which includes: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal data collected from a known child under the age of 13; or precise geolocation data (any information derived from technology that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet). § 59.1-571
Personal data under the VCDPA does not include:
- De-Identified Data, which is data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person. § 59.1-571
- Publicly Available Information, which includes information lawfully made available from government records and information the controller or processor has a reasonable basis to believe is lawfully made available to the general public under certain circumstances. § 59.1-571
The VCDPA also excludes “Pseudonymous Data” from certain controller obligations (excluding Sensitive Data Restrictions) and certain consumers rights (excluding Opt-Out Rights) provided the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 59.1-577.D
What Obligations Do Controllers Have?
The VCDPA requires a controller to:
What Obligations Do Processors Have?
The VCDPA requires processors to:
- Comply with Instructions: Adhere to the instructions of a controller. § 59.1-575.A.
- Provide Assistance to the Controller: Assist the controller in meeting its obligations under the VCDPA, including in relation to (i) consumer rights requests, (ii) protecting personal data and reporting any breach of personal data and (iii) data protection assessments. § 59.1-575.A
- Controller Contracts: Enter into the necessary contract with the controller. § 59.1-575.B
What Rights Are Granted to Consumers?
The VCDPA requires a controller to comply with authenticated requests to exercise the following rights:
- Right to Access: To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data. § 59.1-573.A.1
- Right to Portability: To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. § 59.1-573.A.4
- Right to Correction: To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. § 59.1-573.A.2
- Right to Opt Out: To opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 59.1-573.A.5
- Right to Deletion: To delete personal data provided by or obtained about the consumer. § 59.1‑573.A.3
The VCDPA is unique in that it provides a statutory right to appeal the denial of a consumer rights request. If such an appeal is denied, the controller must ensure the consumer is provided with “an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.” § 59.1-573.C
How Is the Law Enforced?
The Virginia Attorney General will have exclusive authority to enforce the VCDPA through civil investigative demands and civil actions for injunctive relief and civil penalties of not more than $7,500 per violation. The Act provides a 30-day right to cure provision and does not contain a private right of action. §§ 59.1-579; 59.1-580
Conclusion
In summary, the Commonwealth of Virginia has become the second U.S. state to enact comprehensive consumer data protection legislation, following in the footsteps of the CCPA. The VCDPA will become effective on January 1, 2023, and will (i) impose new obligations on both controllers and processors who process personal data of Virginia residents and (ii) grant new rights to Virginia residents with respect to their personal data. Stay tuned for further updates on preparing for the VCDPA and how this new law compares to other comprehensive data protection legislation.