What Businesses in Tennessee and Across the U.S. Can Take From Virginia’s New Consumer Data Protection Act

Virginia Gov. Ralph Northam recently signed the Virginia Consumer Data Protection Act (VCDPA) into law, making Virginia the second state, following California, to adopt comprehensive consumer data privacy legislation.

Like the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), the new law gives Virginia consumers more control over how businesses collect and use their personal data. The law also creates security and assessment requirements for businesses. The VCDPA takes effect on January 1, 2023, but companies doing business or selling to consumers in Virginia should begin evaluating applicability and compliance obligations now. And, while many small businesses are exempt from the CCPA and VCDPA, all businesses that collect and use personal information online should be following state developments in this area and ensuring their privacy policies and practices are clearly communicated to consumers. Businesses across the U.S. should take account of these Virginia privacy measures and others like CCPA, as we expect to see additional states adopt similar legislation.

A Breakdown of the VCDPA
The VCDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and either:
Control or process the personal data of at least 100,000 consumers each calendar year; or
Control or process the personal data of at least 25,000 consumers and derive at least 50% of their gross revenue from the sale of personal data.
The VCDPA contains a number of significant exclusions similar to, but more expansive than, those in the CCPA, excluding certain entities and categories of collected data. For example, the VCDPA exempts (1) Virginia state bodies and agencies; (2) financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA); (3) covered entities or business associates governed by the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act; (4) nonprofit organizations; and (5) institutions of higher education.

The VCDPA defines “sale of personal data” as “the exchange of personal data for monetary consideration,” which should have more narrow application than the CCPA’s “valuable consideration” standard.

Exclusions from the sale of personal data include the following:

• Disclosures to processors
• Disclosures to a third party for purposes of providing a product or service requested by the consumer
• Disclosures to an affiliate
• Disclosures of information that the consumer intentionally made available to the general public via a mass media channel and did not restrict to a specific audience
• Disclosures as part of a merger, acquisition, bankruptcy, or similar transaction

Similar to the CCPA and GDPR, the VCDPA provides consumers specific rights to access their personal data, correct inaccuracies, delete personal data, obtain a copy of their data in a portable format, and opt-out of targeted advertising and sales of such data.

Obligations Under VCDPA and What Other States May Consider
If VCDPA applies to your business, you’ll want to understand the following. And if not, still read along so your business can determine whether these obligations could be met if similar measures are imposed by your applicable state(s).

The VCDPA imposes several obligations on businesses including:

• Limitations on the collection and use of personal data to what is adequate, relevant, and reasonably necessary for the purpose of such data being processed
• Maintaining reasonable administrative, technical, and physical data security practices to protect personal data
• Restrictions on discriminating against consumers for exercising any of their consumer rights
• Obtaining consent before processing sensitive data concerning a consumer
  • Consent is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer [and] may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

The VCDPA also requires businesses to provide consumers with a privacy notice or policy. The notice must include the following:

• The categories of personal data processed
• The purpose for processing personal data
• How consumers may exercise their consumer rights and appeal a decision regarding a consumer request
• The categories of personal data that are shared with third parties
• The categories of third parties with whom the business shares personal data

These privacy notice elements are important for any business, regardless of location, to consider if the business collects information online through a website or mobile application.

What’s on the Horizon
Several other states have pending bills or are considering adopting similar legislation regarding personal data protection and consumer privacy rights. As these laws form a patchwork of varying standards across the U.S., a practical solution for some businesses may be to adopt policies and procedures that apply to all consumers, regardless of state of residency, following the most protective and restrictive requirements. However, businesses that have complied with CCPA or GDPR should not assume they already comply with the new Virginia law, as each law has its nuances. Online businesses, including those based in our home state of Tennessee, should review their current privacy policies and practices and take steps to prepare for these anticipated new laws.