On February 3, 2021, the Virginia Senate passed the Virginia Consumer Data Protection Act (“VCDPA” or the “Act”). Upon approval from Governor Ralph Northam, Virginia will be the second state in the nation to adopt a comprehensive data privacy law. This proposed legislation places Virginia alongside California at the forefront of domestic data privacy regulations.

In 2020, California changed the landscape of data privacy laws in the United States with the California Consumer Privacy Act (CCPA). The CCPA, a result of a ballot initiative by California, introduced the idea of widespread data subject rights for American consumers. Nearly three years later, Virginia is securing the second place spot with its enactment of the VCDPA. The Act mirrors the CCPA and the European Union’s General Data Protection Regulation (GDPR) in many ways. For instance, the Act contains a broad definition of “personal data.” It imposes certain fundamental processing principles, such as purpose limitation and data minimization rules, on businesses that process personal data. It also provides Virginia consumers with new rights to access, correct, delete, and request processing modifications with respect to their personal data.

Once signed into law, the VCDPA will be effective January 1, 2023. In the meantime, companies doing business in Virginia should start actively thinking of ways to incorporate VCDPA requirements into their existing privacy policies and procedures. The key features of the VCDPA are summarized below.

Who Must Comply?

 The VCDPA applies to anyone conducting business in Virginia who (i) controls or processes personal data of at least 100,000 Virginia consumers, or (ii) who controls or processes personal data of at least 25,000 Virginia consumers and derives more than half of their revenue from the sale of personal data.  Such an entity is defined as a “controller” under the Act.  The VCDPA does not apply to the following entities:

  • Virginia state agencies, boards, commissions, or political subdivisions;
  • Nonprofit organizations; and
  • Institutions of higher education.

Other provisions exempt particular types of data, including data regulated by:

  • Gramm-Leach Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Fair Credit Reporting Act (FCRA)
  • Driver Privacy Protection Act (DPPA)
  • Federal Educational Rights and Privacy Act (FERPA)
  • Farm Credit Act
  • Children’s Online Privacy Protection Act (COPPA).

What rights are afforded to Virginia residents?

The VCDPA provides Virginia residents with the following rights to their personal data:

  1. Access—a Virginia resident may seek confirmation that a data controller is processing the consumer’s personal data.
  2. Correction—a Virginia resident may ask the data controller to correct inaccuracies of personal data.
  3. Deletion— a Virginia resident, can require the data controller to delete personal data provided by or obtained about the consumer.
  4. Portability and Disclosure—a Virginia resident can obtain a copy of the personal data previously provided to the controller in a portable and readily usable format to transmit the personal data to another controller without hindrance.
  5. Opt-out of processing—a Virginia resident can opt-out of personal data processing for targeted advertising, the sale of personal data, or profiling to further decisions that have legal or other significant impact on the consumer.[1]

Consumers can make these requests twice a year. Upon a consumer’s request, the data controller must:

(i) accept or decline the request and respond to the consumer within 45 days of receipt of the request [just like under CCPA];

(ii) provide an appeal right to consumers for controller’s refusal to take action on a request; and

(iii) provide consumers a mechanism to submit complaints to Virginia’s Attorney General.[2]

What responsibilities do data controllers have versus processors?  

Borrowing a fundamental concept from the GDPR, the VCDPA distinguishes between obligations applicable to controllers and those applicable to “processors,” or those entities that process personal information on behalf of the controller. In short, a processor must adhere to the instructions of a controller (the entity with a direct relationship to the data subject, in this case a Virginia resident) and aid the controller in meeting the controller’s obligations under the Act. A controller, on the other hand, must abide by the remaining obligations under the Act. Specifically, data controllers must:

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes for which such data is processed.
  • Implement administrative, technical, and physical safeguards to protect the confidentiality of personal data.
  • Data controllers cannot process certain sensitive data (including data that contains racial, genetic, or geolocation data, for example) without obtaining the consumer’s consent.
  • Provide meaningful privacy notices, provide notice and an opt-out right concerning any efforts to sell personal data or use it for targeted advertising, and provide a secure mechanism to allow consumers to exercise their consumer rights under the VCDPA. Consumers must be allowed to exercise their rights without needing to create an account with the data controller.
  • Contractually protect the confidentiality and privacy of personal data shared with data processors, whose role must be limited and circumscribed by such contracts.
  • Take reasonable efforts to ensure that any de-identified data cannot be re-identified or associated with a natural person and are not generally compelled to provide consumers with de-identified data.[3]

Does the Act provide exceptions or safe harbors? 

Yes. The VCDPA states that nothing in the statute shall be construed to limit data controllers’ and processors’ ability to comply with federal, state, or local laws, prevent and detect security breaches and harassment, or assist third parties with such activities.[4] Additionally, neither data controllers nor processors are prohibited from collecting, using, or retaining data to conduct internal research to develop products and technology, or perform internal operations that are reasonably aligned with the expectations of the consumers, or reasonably anticipated based on the consumer’s existing relationship with the data controller.[5] Finally, data controllers are not liable for third-party controllers or processors’ actions to whom they disclose data if those third parties commit violations and the controller or processor lacked actual knowledge that the recipient of the data intended to violate the Act. Data controllers and processors do, however, have the burden to show that they meet any safe harbor or exception.[6]

Does my business need to plan for how personal data may be impacted?

Yes. Data protection assessments are documented analyses of how processing activity impact personal data. The VCDPA requires data controllers to conduct data protection assessments of their processing of personal data for:

  • targeted advertising;
  • the sale of personal data;
  • the processing of personal data for profiling (where discrimination or injury may result);
  • the processing of sensitive data; and
  • other data processing activities that present a heightened risk of harm to consumers.

These assessments must be documented and should weigh the public benefits and data processing risks against the dangers to consumer rights. The Attorney General of Virginia has the authority to request and review these data protection assessments for investigative purposes.[7]

What happens if my business is in violation of VCDPA?

Virginia’s Attorney General has the exclusive authority to enforce violations of the VCDPA. Although no private right of action exists, Virginia residents may submit a complaint to the Virginia Attorney General requesting that the Commonwealth take action. The Attorney General must provide 30 days’ written notice to a controller or processor stating the specific provisions violated and provide the individual or business a chance to cure the violations and cease all prohibited activity, before initiating any action.[8] If the violations are not cured, the Attorney General may bring suit resulting in statutory damages of $7,500 per violation and also recover attorneys’ fees.[9]

So what’s next?

The season of legislative advances for privacy and data security never truly ends. Even with the CCPA being in effect for just over a year, California has already updated its legislation providing for additional consumer rights and business obligations. We expect to see more states adopt their own omnibus data laws and create a patchwork of regulations for businesses to navigate. Whether your business is subject to CCPA, VCDPA, GDPR, or anything else in the alphabet soup, we emphasize the importance of identifying how the requirements of statutes and regulations like these affect your business and the way you use personal data. Strategizing now about how your company will achieve and maintain compliance is more critical than ever as more states adopt their own laws targeted at protecting privacy and achieving accountability from businesses. Indeed, a good privacy and security program is the cost of doing business today.

To get an idea of what you can expect from the VCDPA and other states in the future, check out the Privacy and Data Security Insight archives for our ongoing series on the CCPA. For more information on the VCDPA or other privacy matters, please contact Taft’s Privacy and Data Security Team.

[1] See Senate Bill No. 1392 p. 3-4 (lines 174-191).

[2] See id. at p.4 (lines 192-219).

[3] See id. at p. 4-5 (lines 220-246).

[4] See id. at p. 7 (lines 368-371).

[5] See id. at p. 7 (lines 394-402).

[6] See id. at p. 7 (lines 408-415).

[7] See id. at p. 5-6 (lines 302-314).

[8] See id. at p. 8 (lines 438-443).

[9] See id. at p. 8 (lines 449-458).