Virginia Joins California and Nevada in Passing its Consumer Privacy Act

Newmeyer Dillion
Contact

California tends to be on the forefront in consumer privacy laws within the United States. However, there is a growing momentum for other states to join California in legislating consumer privacy rights, as well as pushes for federal legislation. The latest state to join in and pass consumer privacy legislation is Virginia, with its Virginia Consumer Data Protection Act (VCDPA). With Virginia joining the fray, several questions arise, such as how closely does the VCDPA follow California's legislation? How, if at all, does it differ from already-existing legislation? What do businesses need to comply with the VCDPA, if at all?

WHAT IS THE VIRGINIA CONSUMER DATA PROTECTION ACT?

The VCDPA largely mimics elements from its Californian cousins, the California Consumer Privacy Act (CCPA) as modified by the California Privacy Rights Act (CPRA). The main features of the law include: (a) issuing the right to request what information is collected; (b) the right to correct information provided; (c) the right to deletion; (d) providing notice to consumers regarding the collection of their data; and (e) protecting consumer data. Further, the consumer requests, akin to the CCPA, do require verification, and similarly phrased data security practices that rely on how "reasonable" they are, depending on the volume and type of information at issue. Though, the VCDPA does expand on this slightly, requiring "data protection assessments" to determine the security of protected information, how it is shared and used, the benefits in sharing the information and harm resulting from any breaches.

Unlike the CCPA, the VCDPA does not extend to nearly as many entities as the CCPA does, limiting the businesses subject to the VCDPA to entities that collect the information of 100,000 consumers, though entities that collect the information of 25,000 consumers may be subject to the VCDPA if they derive half or more of their gross revenue from the sale of personal information. Furthermore, the number of consumers explicitly excludes individuals engaging in business to business transactions, or those seeking employment. For comparison's sake, this means that unlike the CCPA, (a) the gross revenues of the business do not matter, but rather, the collection of consumers matters; (b) even if 50% or more of the business's income is due to the sale of personal information it may not be subject to the VCDPA if the business does not collect from over 25,000 consumers; and (c) the amount of consumers counted is lower, as the VCDPA explicitly does not count those acting in context of employment or commercial contexts, and only those acting in the context of being an individual or a household.

WHAT NOW?

If you do business in Virginia, you need to familiarize yourself with the new law, and what it means for your business. However, for those who are already subject to and in compliance with the CCPA, minimal action is needed to abide by the VCDPA. Preparation and education truly are the best remedy, especially as these laws seem to be taking inspiration from one another. Further, even those requirements like "data protection assessments," which were not formally required under the CCPA, may have been done informally as part of data mapping and other preparation actions in order to issue timely responses to consumer requests, meaning such measures and actions can be used to comply with the VCDPA. Failure to comply with the VCDPA does carry a penalty up to $7,500 per violation, as well as "reasonable expenses" incurred by the Virginia Attorney General to enforce the law, which could exponentially increase costs to any violation.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Newmeyer Dillion | Attorney Advertising

Written by:

Newmeyer Dillion
Contact
more
less

Newmeyer Dillion on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.