On January 29, 2021 and February 3, 2021, respectively, the Virginia House of Delegates and Virginia Senate passed the Virginia Consumer Data Protection Act (VCDPA). The legislation, if signed into law by the governor, would be the first comprehensive privacy law enacted by a state since California enacted the California Consumer Privacy Act (CCPA) and, more recently, the California Privacy Rights Act (CPRA). Though the VCDPA is not slated to take effect until January 1, 2023, it will be important for companies to understand the complicated provisions of the VCDPA much earlier, so they can begin instituting any necessary changes in their internal and public-facing policies and their information practices. The VCDPA’s passage may also spur other states to enact their own privacy laws, which until now have been mired in legislative purgatory.

Some of the more significant aspects of the VCDPA are summarized in this post.

Scope and Exemptions

The VCDPA applies to anyone conducting business in Virginia who controls or processes personal data of at least 100,000 Virginia consumers, or who controls or processes personal data of at least 25,000 Virginia consumers and derives more than half of their revenue from the sale of personal data. The VCDPA does not apply to the following entities:

  • Virginia state agencies, boards, commissions, or political subdivisions
  • Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
  • Covered entities or business associates covered by HIPAA regulations
  • Nonprofit organizations
  • Institutions of higher education

Other provisions exempt particular types of data, including data covered by the GLBA, HIPAA, Fair Credit Reporting Act (FCRA), Driver Privacy Protection Act (DPPA), the Federal Educational Rights and Privacy Act (FERPA), the Farm Credit Act, and the Children’s Online Privacy Protection Act (COPPA).

Despite the exemptions, the Virginia law will apply to numerous entities that control and/or process large amounts of data, including most social media platforms, large internet companies that do business in the state, and numerous other entities that engage with Virginia consumers.

Personal Data Rights

The VCDPA allows Virginia residents to invoke personal data rights and to submit requests that (1) seek confirmation that a data controller is processing the consumer’s data, (2) ask to correct inaccuracies of data, (3) delete personal data provided by or obtained about the consumer, (4) obtain a copy of the personal data previously provided by the consumer, or (5) opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that have legal or other significant impacts on the consumer. Consumers can make such requests twice annually, and the data controller must respond pursuant to a timeline, provide an appeal right, and provide consumers a mechanism to submit complaints to Virginia’s Attorney General.

Data Controller Responsibilities

Under the VCDPA, data controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes for which such data is processed. They must also implement administrative, technical, and physical data practices to protect the confidentiality of personal data. Additionally, data controllers cannot process certain sensitive data (including data that contains racial, genetic, or geolocation data, for example) without obtaining the consumer’s consent. Controllers also must provide meaningful privacy notices, provide notice and an opt-out right with regard to any efforts to sell data or use it for targeted advertising, and provide a secure mechanism to allow consumers to exercise their consumer rights under the VCDPA. Significantly, consumers must be allowed to exercise their rights without needing to create an account with the data controller. Data controllers must also contractually protect the confidentiality and privacy of data shared with data processors, whose role must be limited and circumscribed by such contracts. They should also take reasonable efforts to ensure that any de-identified data cannot be re-identified or associated with a natural person, and are not generally compelled to provide consumers with de-identified data.

Data Protection Assessments

Data controllers are required to conduct data protection assessments of their processing of personal data for targeted advertising, the sale of personal data, the processing of personal data for purposes of profiling (where discrimination or injury may result), the processing of sensitive data, and other data processing activities that present a heightened risk of harm to consumers. Such assessments should weigh the public benefits and risks of any data processing against the risks to the rights of the consumer that may result. The Attorney General of Virginia can request and review these data protection assessments for investigative purposes.

Safe Harbors

The VCDPA states that nothing in the statute shall be construed to limit data controllers’ and processors’ ability to comply with federal, state, or local laws; cooperate with law enforcement; defend legal claims; perform obligations requested by consumers; take steps essential to promote life and safety; prevent and detect security breaches and harassment; engage in scientific research; or assist third parties with such activities. In addition, data controllers or processors are not restricted from collecting, using, or retaining data to conduct internal research to develop, improve, or repair products or technology; effectuate a product recall; identify and repair technical errors that impair existing or intended functionality; or perform internal operations that are reasonably aligned with the expectations of the consumers or reasonably anticipated based on the consumer’s existing relationship with the data controller. Finally, data controllers are not liable for the actions of third-party controllers or processors to whom they disclose data if those third parties commit violations and the controller or processor lacked actual knowledge that the recipient of the data intended to commit a violation of the Act. However, data controllers and processors do have the burden to show that they meet any safe harbor or exemption.

Enforcement and Penalties

Virginia’s Attorney General has the exclusive authority to enforce violations of the VCDPA. There is no private right of action. Before initiating any action, the Attorney General must provide 30 days written notice to a controller or processor alleging the specific provisions violated, along with an opportunity to cure the violation(s) and cease all violating activity. If the violations are not cured, the Attorney General may initiate an action that may result in statutory damages of $7,500 per violation and an injunction. The Attorney General may also recover attorneys’ fees.