On January 1, 2023, Virginia’s Consumer Data Protection Act (“Virginia Privacy Law”) went into effect, the second in the US aimed to protect consumers’ personal data. We previously blogged about its passage. Here’s what you should know.
Who’s Covered.
The Virginia Privacy Law applies to businesses (called “controllers”) that conduct business in Virginia. It can apply to businesses that are not headquartered, incorporated or located in Virginia if they offer products or services targeted to Virginia residents and that (1) control or process personal data of at least 100,000 Virginia residents in a calendar year or (2) control or process the personal data of at least 25,000 Virginia residents and derive more than half their gross revenue from the sale of personal data.
Entity-wide exemptions include (1) financial institutions subject to Gramm-Leach-Bliley Act, (2) entities regulated by HIPAA, (3) non-profits, (4) Virginia state agencies, and (5) colleges and universities.
By its definition of consumers that expressly excludes persons acting in a “commercial or employment context”, HR and B2B data is exempt.
What’s required.
Generally, covered businesses must (i) implement privacy policies; (ii) design processes for Virginia residents to exercise their rights, including consent to process sensitive data[1]; (iii) conduct data protection assessments; (iv) implement or revise vendor contracts to include requisite language; and (v) establish, implement and maintain reasonable security practices.
Privacy notices should include the categories and purposes of personal data processed, the categories of third parties with whom businesses share personal data and the categories of personal data shared with third parties, disclose how Virginia residents may exercise their rights, and disclose if the business sells personal data to third parties or processes personal data for targeted advertising.
Consumers have the right to know, access, correct, delete, obtain, opt-out of targeting advertising, selling personal data, and profiling, and consent to processing of sensitive data.
Unlike the CCPA but like the GDPR, the Virginia Privacy Law requires companies to conduct and document a data protection assessment when processing sensitive data or conducting certain activities with the personal data such as targeted advertising, selling personal data or profiling.
Contracts with service providers (called “processors”) must contain certain key provisions, including – unlike the CCPA – that each person processing personal data is subject to a confidentiality agreement.
Reasonable data security is not defined but must protect the confidentiality of personal data appropriate to the volume and nature of the personal data at issue.
How It’s Enforced.
The Virginia Privacy Law will be enforced by the Virginia Attorney General and allows for a 30-day cure period. Uncured non-compliance can result in a civil penalty of up to $7,500 per violation. Unlike the CCPA, it does not create a private right of action.
What Your Business Should Do.
Businesses that target Virginia residents must assess their consumer database. For businesses that are not data brokers, did your business control (or process) at least 100,000 Virginia residents’ personal data during 2022? If so, talk with a data privacy lawyer about implementing a privacy compliance program. Consumer privacy is a growing priority in the US. Five other states have enacted comprehensive consumer privacy laws, and 39 states considered such laws in 2022.
[1] Sensitive data includes: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) the processing of genetic or biometric data to uniquely identify a natural person; (iii) personal data collected from a known child younger than 13; or (iv) precise geolocation data.
