The Virginia Consumer Data Protection Act: All You Need To Know

Virginia is the second state of all the 50 US states to enforce state law on data protection. The Virginia Consumer Data Protection Act aims to protect consumers’ personal data in Virginia.

It draws many similarities with other consumer protection laws such as California Privacy Rights Act (CPRA), the California Consumer Privacy Act (CCPA), and the state laws of Colorado, Utah, and Connecticut.

This article will delve deep into what this law requires from your business. You’ll learn about the following:

What is the Virginia Consumer Data Protection Act (VCDPA)?

The Virginia Consumer Data Protection Act is Virginia’s first data privacy law. It was signed into law on 2 March 2021, and its effective date is 1 January 2023.

Its goal is to protect Virginia residents’ privacy when businesses handle their personal information.

It follows the trend set by the California Consumer Privacy Act (CCPA). It relies solely on the opt-out principle, meaning that businesses to whom it applies are allowed to process personal data as long as the consumer does not object.

It has been amended once already. The amendments address consumer requests to delete personal data held by businesses, broaden the definition of nonprofit organizations, and redirect penalties and fees collected by the Attorney General’s Office from VCDPA enforcement to an existing fund.

To whom does the VCDPA apply?

VCDPA applies to natural and legal persons that:

The ‘sale of personal data is defined as ‘the exchange of personal data for monetary consideration’ by a business to a third party.

Is anyone exempt from the VCDPA?

Yes, there are a few exemptions. The law does not apply to:

What is Personal Data under the VCDPA?

The VCDPA defines personal data as any information that can be linked to or linked in a reasonable way to a person who can be identified or can be found.

Name, home address, phone number, email address, IP address, social security number, etc., are all examples of personal data.

De-identified data and publicly available personal data are exempt from the definition. They are not personal data and are out of the scope of the law.

De-identified data cannot be linked to or reasonably associated with a person; therefore, it is not personal data. Public data is already available to anyone; hence, it is not protected.

What is VCPDA sensitive personal data?

VCDPA differs personal data from sensitive personal data. The following categories of personal data belong to the latter:

What are VCDPA controllers and processors?

The controller is the person or entity that decides if personal data will be processed. They also decide on the processing purposes, methods, categories of personal data to be processed, and so on.

The processor is the entity that processes the data on behalf of the controller.

In other privacy legislation in the US, controllers are often known as businesses, and processors are called service providers.

What is a VCDPA-compliant privacy notice?

Data controllers must present consumers with a privacy notice on data collection. You can do it by presenting them with a VCDPA-compliant privacy policy.

The privacy policy must contain at least the following essential information:

Do I need to obtain consent from consumers for data processing?

You don’t need consumers’ consent to process their personal data. There are two exceptions, however:

In all other cases, you can process data until someone opts out of the processing.

What are VCDPA personal data rights?

Virginia CDPA grants consumers the following personal data rights:

The VCDPA differs from other laws, such as the CCPA and CPRA, regarding the wording of data subject rights. Although the privacy legislation of other US states calls them consumer rights, VCDPA calls them personal data rights.

Additionally, the VCDPA requires that companies only hold the data they need for a specific purpose and for only as long as necessary to achieve that purpose; these principles are commonly referred to as purpose limitation and data minimization. The VCDPA also requires that companies implement and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data.

What are VCDPA personal data requests?

Personal data requests are the tool with which consumers exercise their personal data requests. Suppose you are familiar with data subject requests under the GDPR in Europe or consumer requests under the CCPA or CPRA in California. In that case, you have an idea of what is required of your business in Virginia.

Whenever you receive a consumer request, you have no choice but to honor it. Not responding to it or providing false information leads to non-compliance and penalties.

Data controllers have 45 days to respond to the request. For more complex requests, the deadline is 90 days. The response must be free of charge unless the response requires significant expenses on the data controller’s part.

Before honoring the request, you must identify the requester. If you cannot identify them, you can refuse the request.

What is a data processing agreement, and why do I need one?

The VCDPA requires controllers to have written agreements with processors that process personal data on their behalf. Also, processors can only handle personal information if the controller gives them written instructions.

A well-structured data processing agreement will cover both VCDPA obligations. The agreement will be in written form and contain the necessary instructions on processing. Controllers must have a separate data processing agreement with every data processor.

Every agreement must contain the following essential elements:

What should you do in the event of a data breach?

In the case of a data breach, you have to comply with data breach notifications. This isn't talked about directly in the VCDPA, but other Virginia laws set up notification requirements for smaller groups of personal information.

What is a Privacy Impact Assessment (PIA) under the VCDPA?

Data protection assessments are good security practices for preventing data security breaches. The PIA aims to identify privacy risks and determine measures to mitigate them. Under the VCDPA, they have a duty in some cases.

You must conduct the Privacy Impact Assessment if you do at least one of the following data processing activities:

In all other cases, you don’t have to conduct a PIA. However, it is a good practice and a highly recommendable exercise in your security practices.

Who implements the VCDPA?

The Virginia Attorney General is the only person who enforces the VCDPA. Consumers cannot do anything by themselves. They have no private right of action.

When the Attorney General becomes aware of a potential violation, he or she may initiate a procedure against the company. If their investigations show that the VCDPA has been broken, the person who broke it will have 30 days to fix the problem.

If the business cures the violation, it all stops here. The Attorney General can take them to court to impose civil penalties if they don’t.

How much are the VCDPA fines?

VCDPA fines have an upper cap of $2,500 for any violation and $7,500 for an intentional violation per incident. One consumer means one incident.

Consequently, if businesses violate the VCDPA rights of 100 consumers, they may be fined up to $750,000 because 100 consumers times $7,500 equals $750,000.

All fines, costs, and attorney fees from enforcing the VCDPA will go to the Consumer Privacy Fund to help the AG enforce the law.

How does VCDPA compare to GDPR, CCPA/CPRA, and other privacy laws?

The EU’s General Data Protection Regulation (GDPR) is the strictest data privacy law worldwide. US states still do data protection differently, and Virginia is no exception. They also rely on the opt-out principle and allow businesses to process data until someone objects to that.

On the other hand, the VCDPA fills the gap created by the previous absence of a data protection law in the state, which is a step in the right direction.