On March 2, 2021, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), making Virginia the second state, after California, to enact general data privacy legislation. The VCDPA will take effect January 1, 2023, the same day as the California Privacy Rights Act (CPRA), which amends and expands the California Consumer Privacy Act (CCPA). The VCDPA shares common features with the CCPA, but its terminology more closely resembles the European Union’s General Data Protection Regulation (GDPR) in some respects. For example, the VCDPA uses the GDPR-derived terminology, “controller” and “processor,” rather than the CCPA terms, “business” and “service provider.”
Below we cover some of the key elements of the VCDPA and discuss how they compare to the CCPA and CPRA.
The VCDPA applies to entities that conduct business in Virginia or produce products and services that target Virginia residents and satisfy the below criteria during a calendar year:
- control or process personal data of 100,000 or more Virginia consumers; or
- control or process the personal data of 25,000 or more Virginia consumers and derive over 50% of gross revenue from the sale of personal data.
The VCDPA includes exemptions for entities that are subject to relevant provisions of other privacy laws and regulations, including the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), among others. Activities regulated by and authorized under the Fair Credit Reporting Act (FCRA) are also exempt.
The law applies to the data of Virginia residents acting in an individual or household capacity and expressly excludes a person “acting in a commercial or employment context,” effectively excluding from the law’s reach employment data and personal data processed in a business-to-business context.
Generally speaking, the VCDPA is similar in scope to the CPRA, except that it lacks the $25 million annual revenue threshold found in the CCPA and CPRA. Also, in contrast to the CCPA and CPRA, the VCDPA’s GLBA and HIPAA exemptions exempt the entire business—rather than just the data—subject to GLBA or HIPAA.
The VCDPA provides consumers with five main rights:
Right to Know and Access
Consumers have the right to confirm whether or not a controller is processing their personal data and to access such personal data. Consumers also have this right under the CCPA.
Right to Correct
Consumers have the right to correct inaccuracies in their personal data. Consumers will also have this right under the CPRA.
Right to Delete
Consumers have the right to have controllers delete personal data provided by or obtained about them. Consumers also have this right under the CCPA.
Right to Data Portability
Consumers have the right to obtain a copy of the personal data they previously provided to a controller. Consumers also have this right under the CCPA.
Right to Opt-Out
Consumers have the right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, and (iii) certain profiling activities. Consumers have the right to opt-out of the sale or sharing of personal information under the CPRA.
The VCDPA imposes the following requirements, among others, on controllers:
Controllers are required to provide a privacy notice to consumers that includes the following elements, which are similar to some of the required content in a CCPA privacy notice:
- the categories of personal data processed by the controller;
- the purpose for processing personal data;
- how consumers may exercise their consumer rights;
- the categories of personal data that the controller shares with third parties, if any;
- the categories of third parties, if any, with whom the controller shares personal data; and
- if the controller sells personal data to third parties or processes personal data for targeted advertising, clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing.
Data Processing Agreements
Processing activities undertaken by a processor on behalf of a controller must be governed by a data processing agreement which must contain certain content as set forth in the VCDPA. The CCPA and CPRA also set forth content requirements for agreements between businesses and their service providers and contractors.
Controllers must limit their collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed. The CPRA imposes a similar obligation on businesses.
Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The CCPA requires that a covered business implement “reasonable security procedures and practices” appropriate to the nature of the personal information and includes a private right of action for failure to do so that is especially relevant to data breaches.
Controllers must obtain a consumer’s consent before processing sensitive personal data, which is defined to include, among other categories, precise geolocation data, biometric data, sexual orientation, religious beliefs, and children’s personal data. The CPRA establishes a similar category of sensitive data and will allow California residents to opt-out of its processing. There are differences between the CPRA and VCDPA definitions, however. The CPRA definition, for example, includes Social Security Number, driver’s license number, and certain other government identification numbers, and certain financial account and payment card information, while the VCDPA does not.
Data Protection Assessments
Controllers are required to conduct “data protection assessments” to evaluate the risks associated with certain processing activities, including processing personal data for targeted advertising, selling personal data, and processing sensitive data. The CPRA imposes a similar obligation.
Controllers must establish a process for consumers to appeal the controller’s denial or failure to comply with a consumer’s rights request under the VCDPA and notify consumers of such a process.
The VCDPA also imposes obligations on processors. Processors are required to:
- adhere to the instructions of the controller;
- assist the controller, through technical and organizational measures, in meeting its obligation to respond to consumer rights requests;
- assist the controller in meeting its data security and data breach notification obligations under the VCDPA and Virginia’s data breach notification law; and
- provide the controller information to assist the controller in undertaking a data protection assessment.
In addition, as noted above, the VCDPA requires contracts between controllers and processors to include certain terms, so contract amendments to address these additional obligations may be required with controllers as well as sub-processors.
The VCDPA does not have a private right of action. The VCDPA will be enforced solely by the Virginia Attorney General. Enforcement actions may be initiated only after the Attorney General has provided a 30-day opportunity to cure an alleged violation. If the entity fails to cure, the Attorney General may impose a maximum civil penalty of $7,500 per violation. Notably, unlike the CCPA, the VCDPA does not grant the Attorney General or any other agencies rulemaking authority (although a working group is being established to provide best practices recommendations to the Virginia Legislature by November 2021). Also, in contrast to the CPRA, the VCDPA does not establish a separate data protection agency.
As a practical matter, companies should first consider whether and to what extent the VCDPA applies to them. If it does, they will need to consider making changes to their public-facing privacy notices, vendor agreements, and internal compliance policies and practices, as well as conduct data protection assessments, if required. Organizations that have already taken the steps necessary to come into compliance with the CCPA and/or the GDPR likely will be able to build on those frameworks.
The VCDPA does not take effect until January 1, 2023, but it is never too early to start assessing the law’s impact on your organization and making a plan to get into compliance. Organizations also should consider whether to organize their approach to these privacy laws on a state-by-state basis or instead begin to offer similar rights to consumers nationwide, recognizing that several other states—including Florida, Illinois, and Washington—are considering similar privacy bills of their own.
For assistance assessing the VCDPA’s impact on your organization, please contact Arnall Golden Gregory LLP’s Data Privacy team members Kevin L. Coy, Montserrat C. Miller, or Erin E. Doyle.