'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

What is Virginia’s Consumer Data Protection Act (VCDPA)?

Virginia has become the next US state to pass a comprehensive consumer data protection law which can be considered to be at par with other major state data privacy laws i.e the California Consumer Protection Act (CCPA) -or the recently passed Consumer Privacy Rights Act (CPRA)- and Washington Privacy Act (WPA). This new law shall provide comprehensive privacy rights to state residents of Virginia and impose a new set of obligations and duties on businesses managing consumer personal data.


Definition of Personal Data

  • Personal Data means any information that is linked or reasonably associated to an identified or identifiable natural person.
  • The VCDPA also categorizes certain data as "Sensitive data" which includes:
    • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
    • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
    • The personal data collected from a known child;
    • Precise geolocation data.
  • Publicly available and de-identified personal data are not covered under the law.
  • Certain forms of personal data are exempted from the law:
    • Medical data covered under any medical laws: Any health information, records, data and documents protected and covered under HIPAA, other federal or state medical laws including de-identified medical data and medical data for public health use or medical research under HIPAA or any other medical law or policy;
    • FCRA covered data: Any personal information of consumers used for consumer credit scoring and reporting protected under the federal Fair Credit Report Act (FCRA);
    • Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
    • FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
    • Farm credit data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act.

Data Subject Rights

All consumers may invoke the following rights by sending a verified request to the data controller (in case of a child, the parent/guardian may send the request on behalf of the child):

Confirm

The consumer shall have a right to confirm whether or not a controller is processing his/her personal data.

Access

The consumer has a right to access the personal data collected and processed about him/her by the data controller.

Rectify

The consumer has a right to have inaccurate personal data being stored or processed by the data controller be corrected.

Delete

The consumer has the right to have his/her personal data stored or processed by the data controller be deleted.

Port

The consumer has a right to obtain a copy of his/her personal data, in a portable, technically feasible and readily usable format that allows the consumer, where the processing is carried out by automated means, to transmit the data to another controller without hindrance.

Opt-out

The consumer has the right to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

  • Time period to fulfill DSR request: All data subject rights’ requests (DSR requests) must be fulfilled by the business within a 45 day period.
  • Extension in time period: Businesses may seek for an extension of 45 days in fulfilling the request depending on the complexity and number of the consumer's requests.
  • Denial of DSR request: If a DSR request is to be denied, the business must inform the consumer of the reasons within a 45 days period. Businesses can deny DSR requests from a consumer if they are unfounded, excessive, or repetitive.
  • Appeal against refusal: Consumers have a right to appeal the decision for refusal of grant of the DSR request. The appeal must be decided within 60 days.
  • Limitation of DSR requests per year: Information provided in response to a consumer request shall be provided by a controller up to twice annually per consumer.
  • Charges: DSR requests must be fulfilled free of charge. However, if requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request.

Who must comply?

  • VCDPA applies to all businesses in Virginia or those who produce products or services that are targeted to residents of Virginia and “control and process” the personal data of:
    • at least 100,000 Virginia residents; or
    • for an entity that derives over half (50%) of its gross revenue from the sale of personal data, of at least 25,000 Virginia residents.
  • The following entities are exempt from complying with the VCDPA:
    • Public/government bodies: any body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth;
    • GLBA entities: Financial Institutions or data which is subject to Title V of the federal Gramm-Leach-Bliley Act (GLBA);
    • HIPAA/HITECH covered entities: Any covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (HHS) pursuant to the federal Health Insurance Portability and Accountability Act (HIPAA) or the federal Health Information Technology for Economic and Clinical Health Act (HITECH);
    • COPPA compliant entities: Controllers and processors that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act (COPPA) will be deemed to be in compliance with the obligation to obtain parental consent.

Obligations of Controllers

Transparency

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice containing specific information including categories of data it shares or sells (including for targeted advertising) and means for consumers to exercise their rights.

Accountability

Controllers must undertake Data Protection Assessments (DPAs) before conducting certain types of risky processing, protect deidentified data from reidentification and comply with data subject requests made by consumers as well as ensure data processors it contracts with comply with the duties prescribed under this law.

Purpose limitation and Data Minimization

Controllers shall not collect unnecessary personal data of consumers or process the personal data for purposes beyond what was disclosed to consumers without gaining their consent.

Non Discrimination

Controllers may not process the personal data to discriminate against the consumer in any way - including discrimination for exercising their data privacy rights.

Consent Management

Controllers cannot process sensitive personal data (including data of minors) unless it has the express consent of the consumer (or parents/guardians of a minor child).

Data Security

Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue

Important Exceptions

The VCDPA does not apply to:

  • Data processed in an employment or commercial (business-to-business) context: Personal data processed by a controller, processor, or third party for the following reasons are exempt from the application of this law:
    • in the course of an individual applying to, employed by, or acting as an agent of a controller, processor, or third party as long as the data is processed within that context;
    • necessary for the controller, processor, or third party to retain to administer benefits for another individual related to the individual highlighted in part (a) i.e an employee or contractor as long as the data is used for the purposes of administering those benefits.
    • As the emergency contact information of an individual used for emergency contact purposes;
  • Data processed for household purposes or free speech: Nothing in this law should be construed as an obligation imposed on controllers and processors that adversely affects the rights or freedoms of any persons, such as exercising the right of free speech pursuant to the First Amendment to the United States Constitution, or applies to the processing of personal data by a person in the course of a purely personal or household activity.
  • Data processed for internal purposes: Nothing in this law restricts a controller or processor from processing personal data to conduct internal research to improve or repair products, services, or technology or to identify and repair technical errors that impair existing or intended functionality or to undertake internal operations reasonably aligned with the consumer’s expectations for performance of a service or provision of a product.
  • Data processed for legal obligations: Nothing in this law restricts a controller or processor from complying with other applicable laws, to claim or defend legal claims or cooperate with government authorities or investigations.
  • Data processed to protect life and physical safety: Nothing in this law restricts a controller or processor from taking immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis.
  • Data processed for security purposes: Nothing in this law restricts a controller or processor from processing data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
  • Data processed for scientific purposes:  Nothing in this law restricts controllers from engaging in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine:
    • if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
    • the expected benefits of the research outweigh the privacy risks; and
    • if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

Non-compliance risks and Penalties

The Virginia Attorney General may issue a civil investigative demand to any controller or processor believed to be engaged in, or about to engage in, any violation.

The state AG also retains exclusive authority to enforce the VCDPA by bringing an action in the name of the Commonwealth, or on behalf of persons residing in the Commonwealth as well as reasonable expenses incurred in investigating and preparing the case, including attorney fees against violators.

Thus covered businesses must comply with the law or face civil penalties for non-compliance up to $7500 for each violation as well as an injunction to stop the violation from further continuing.


Key Facts

1

The provisions of this act shall become effective on January 1, 2023.

2

The VCDPA is structurally very similar to the CPRA (which has amended the CCPA) but it has some significant differences.

3

The Data Protection Assessments under the VCDPA shall identify and weigh the benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing activities after accounting for mitigating factors.

4

The requirement to conduct Data Protection Assessments under the VCDPA shall apply to processing activities created or generated after January 1, 2023, and is not retroactive.

5

VCDPA defines a minor below 13 years of age for the additional protections it provides.

6

There is no 12 months time limit as found in the CPRA or CCPA after which the business can re-ask for the consent of the consumer who chooses to exercise the right to opt-out.

7

The VCDPA requires that opt-in consent be collected for processing of children’s Personal Data, use of Sensitive Personal Data and use of Personal Data beyond the initial purpose for which it was collected for.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc