Following in the footsteps of the California Consumer Privacy Act (CCPA), the Commonwealth of Virginia has become the second U.S. state to enact comprehensive consumer data protection legislation. The Virginia Consumer Data Protection Act (VCDPA) was signed into law by Governor Ralph Northam yesterday on March 2, 2021. The VCDPA will become effective on January 1, 2023, right alongside the recently enacted California Privacy Rights Act (CPRA), which significantly amended the CCPA (additional information on the CPRA can be found here). The following is a brief description of the VCDPA’s key components. Keep an eye out for a forthcoming article outlining the most important differences between the VCDPA and the CPRA.
Controllers and Processors
The VCDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:
Like the European Union’s General Data Protection Regulation (GDPR), the VCDPA distinguishes between controllers and processors:
Through the definition of “consumer” and other provisions, the VCDPA generally does not apply to information about a natural person acting in a commercial (B2B) or employment context (including emergency contact information and benefits information). §§ 59.1-571; 59.1-572.C.14. It is important to note that unlike the CCPA, there is no sunset period for this exemption.
The VCDPA further does not apply to (i) non-profit organizations; (ii) institutions of higher education; (iii) Virginia government entities; (iv) financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); (v) covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA), nor any protected health information under HIPAA and certain other regulated health information; and (vi) processing of information pursuant to the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), Family Educational Rights and Privacy Act (FERPA), and Farm Credit Act (FCA). § 59.1-572
The VCDPA also contains a number of additional limitations on the authority of the VCDPA that are beyond the scope of this article. § 59.1-578
The VCDPA protects “Personal Data,” which is defined broadly to mean any information that is linked or reasonably linkable to an identified or identifiable natural person. § 59.1-571
The Act delineates “Sensitive Data” as a separate category of personal data, which includes: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal data collected from a known child under the age of 13; or precise geolocation data (any information derived from technology that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet). § 59.1-571
Personal data under the VCDPA does not include:
The VCDPA also excludes “Pseudonymous Data” from certain controller obligations (excluding Sensitive Data Restrictions) and certain consumers rights (excluding Opt-Out Rights) provided the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 59.1-577.D
The VCDPA requires a controller to:
De-Identified Data Requirements:
Data Protection Assessments: Conduct and document a data protection assessment for:
The VCDPA requires processors to:
The VCDPA requires a controller to comply with authenticated requests to exercise the following rights:
The VCDPA is unique in that it provides a statutory right to appeal the denial of a consumer rights request. If such an appeal is denied, the controller must ensure the consumer is provided with “an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.” § 59.1-573.C
The Virginia Attorney General will have exclusive authority to enforce the VCDPA through civil investigative demands and civil actions for injunctive relief and civil penalties of not more than $7,500 per violation. The Act provides a 30-day right to cure provision and does not contain a private right of action. §§ 59.1-579; 59.1-580
In summary, the Commonwealth of Virginia has become the second U.S. state to enact comprehensive consumer data protection legislation, following in the footsteps of the CCPA. The VCDPA will become effective on January 1, 2023, and will (i) impose new obligations on both controllers and processors who process personal data of Virginia residents and (ii) grant new rights to Virginia residents with respect to their personal data. Stay tuned for further updates on preparing for the VCDPA and how this new law compares to other comprehensive data protection legislation.