Virginia Consumer Data Protection Act (VCDPA)

Important Exceptions

The VCDPA does not apply to:

• Data processed in an employment or commercial (business-to-business) context: Personal data processed by a controller, processor, or third party for the following reasons are exempt from the application of this law:
  • in the course of an individual applying to, employed by, or acting as an agent of a controller, processor, or third party as long as the data is processed within that context;
  • necessary for the controller, processor, or third party to retain to administer benefits for another individual related to the individual highlighted in part (a) i.e an employee or contractor as long as the data is used for the purposes of administering those benefits.
  • As the emergency contact information of an individual used for emergency contact purposes;
• Data processed for household purposes or free speech: Nothing in this law should be construed as an obligation imposed on controllers and processors that adversely affects the rights or freedoms of any persons, such as exercising the right of free speech pursuant to the First Amendment to the United States Constitution, or applies to the processing of personal data by a person in the course of a purely personal or household activity.
• Data processed for internal purposes: Nothing in this law restricts a controller or processor from processing personal data to conduct internal research to improve or repair products, services, or technology or to identify and repair technical errors that impair existing or intended functionality or to undertake internal operations reasonably aligned with the consumer’s expectations for performance of a service or provision of a product.
• Data processed for legal obligations: Nothing in this law restricts a controller or processor from complying with other applicable laws, to claim or defend legal claims or cooperate with government authorities or investigations.
• Data processed to protect life and physical safety: Nothing in this law restricts a controller or processor from taking immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis.
• Data processed for security purposes: Nothing in this law restricts a controller or processor from processing data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
• Data processed for scientific purposes:  Nothing in this law restricts controllers from engaging in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine:
  • if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
  • the expected benefits of the research outweigh the privacy risks; and
  • if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

Non-compliance risks and Penalties

The Virginia Attorney General may issue a civil investigative demand to any controller or processor believed to be engaged in, or about to engage in, any violation.

The state AG also retains exclusive authority to enforce the VCDPA by bringing an action in the name of the Commonwealth, or on behalf of persons residing in the Commonwealth as well as reasonable expenses incurred in investigating and preparing the case, including attorney fees against violators.

Thus covered businesses must comply with the law or face civil penalties for non-compliance up to $7500 for each violation as well as an injunction to stop the violation from further continuing.