Karen L. Neuman
Washington, D.C. +1 202 261 3354
On March 2, 2021, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA). The law passed the state legislature with strong bipartisan support. With a stroke of the pen, Virginia became the third state (following California and Nevada) to adopt a European-influenced consumer privacy law. Several other states, including Illinois, Massachusetts, and Washington, have similar bills pending in their state legislatures and may soon follow suit.
While the VCDPA has been compared to the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the EU’s General Data Protection Regulation (GDPR), the law is unique in many respects. Companies caught by one or more of these regimes will need to carefully consider their compliance strategies and the potential business impacts of nuanced differences between the laws on the development and offering of data driven products and services. The VCDPA will become effective on January 1, 2023, the same day as the substantive provisions of the CPRA enter into force.
This Newsflash provides a high-level overview of key provisions of the VCDPA, along with some initial steps that companies can take to assess their compliance obligations and corresponding risk.
The VCDPA applies to entities that conduct business in Virginia or produce products or services targeted to Virginia residents, and meet one or more of the following thresholds:
Notably absent is a CCPA-like revenue threshold.
The VCDPA’s applicability thresholds are tied to the number of “consumers” about which an entity processes personal data, and only gives rights to “consumers.” A “consumer” is a natural person who is a resident of Virginia and who acts only in their “individual or household context.” The VCDPA makes clear that an individual who is acting in a “commercial or employment context,” is not a “consumer” and does not enjoy privacy rights otherwise provided by the statute. In other words, the law does not apply to personal data collected from Virginia resident employees or data collected in the business-to-business (B2B) context.
Due to the VCDPA’s focus on individuals who act only in their “individual or household context”, the scope of the VCDPA is narrower than the CCPA, CPRA and GDPR, each of which also applies (at least to some extent) to employee and B2B information.
“Personal data” is broadly defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Like the CCPA, “personal data” excludes de-identified data or publicly available information. The VCDPA imposes specific obligations on “controllers” involving the treatment of de-identified data, including requiring them to take reasonable measures to ensure the data cannot be associated with a person, publicly committing to maintaining and using such data without attempting to re-identify it, and contractually requiring any recipients of de-identified data to comply with all provisions of the VCDPA.
Like the CCPA and CPRA, the VCDPA contains several broad exemptions for entities operating in certain sectors. For example, the law does not apply to (i) financial institutions or data subject to the Gramm-Leach-Bliley Act, or (ii) covered entities, business associates and protected health information subject to the Health Insurance Portability and Accountability Act. It also exempts personal data regulated by other federal laws, including the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and the federal Farm Credit Act. In addition, the law explicitly exempts nonprofit organizations.
Like the GDPR, the VCDPA assigns in-scope entities to two categories: data “controllers” and data “processors.” Data “controllers” are, alone or jointly with others, responsible for determining the purposes and means of the processing of personal data. Data “processors” process personal data on behalf of a controller. The VCDPA imposes specific compliance obligations on both controllers and processors, and both can be held liable for violations of the law. The law also contains detailed requirements for the provisions that must be included in contracts entered into between controllers and processors. These requirements are more comprehensive than the current requirements under the CCPA for business-service provider contracts. On the other hand, unlike the CCPA, the use of GDPR nomenclature should facilitate consistency of external and internal privacy policies, employee training, and contract terms.
Like the CCPA, the law also incorporates the concept of a “third party” in connection with the definition of a “sale” of personal information (addressed below under “Consumer Rights”). “Third parties” are entities other than the consumer, controller, processor, or an affiliate of the processor or the controller.
The VCDPA grants consumers the following rights regarding their personal data, subject to certain exceptions:
Under the VCDPA, covered entities can only process “sensitive data” if they have consumers’ consent.2 “Consent” is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement,” which may include a written statement or any other unambiguous affirmative action. “Sensitive data” is a separate category of personal data and means: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, (ii) genetic or biometric data processed for the purposes of uniquely identifying a natural person, (iii) personal data collected from a known child, and (iv) precise geolocation data, meaning “information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy below 1,750 feet.”
The VCDPA requires controllers to conduct “data protection assessments” for specific personal data processing activities, including for targeted advertising, the sale of personal data, processing sensitive data, and processing data that presents “a heightened risk of harm to consumers.” Like CPRA risk assessments and GDPR data protection impact assessments, these assessments must identify and weigh the benefits of the processing activity to the controller, the consumer, other stakeholders and the public against any potential risks to the rights of consumers from the processing activity. The controller must make the assessment available to the Virginia Attorney General upon request.
The VCDPA is enforceable exclusively by the Virginia Attorney General, who may initiate civil actions against controllers and processors for violations and who can then be fined up to $7,500 per violation. A business must be given 30 days’ written notice to cure any alleged violations prior to the Attorney General initiating any civil actions. This is similar to the CCPA’s original 30-day notice-and-cure period (which was made discretionary by the CPRA). Unlike the GDPR and CCPA, there is no private right of action.
Companies currently have well over a year before the VCDPA becomes effective. Companies that are subject to the GDPR and the CCPA will recall that preparing for a new privacy law can be a heavy lift. For now, companies will want to consider taking the following steps to assess potential obligations under the VCDPA, and identify potential risk and risk reduction measures:
We will continue to keep you apprised of further developments.