On March 2, 2021, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA). The law passed the state legislature with strong bipartisan support. With a stroke of the pen, Virginia became the third state (following California and Nevada) to adopt a European-influenced consumer privacy law. Several other states, including Illinois, Massachusetts, and Washington, have similar bills pending in their state legislatures and may soon follow suit.
While the VCDPA has been compared to the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the EU’s General Data Protection Regulation (GDPR), the law is unique in many respects. Companies caught by one or more of these regimes will need to carefully consider their compliance strategies and the potential business impacts of nuanced differences between the laws on the development and offering of data driven products and services. The VCDPA will become effective on January 1, 2023, the same day as the substantive provisions of the CPRA enter into force.
This Newsflash provides a high-level overview of key provisions of the VCDPA, along with some initial steps that companies can take to assess their compliance obligations and corresponding risk.
The VCDPA applies to entities that conduct business in Virginia or produce products or services targeted to Virginia residents, and meet one or more of the following thresholds:
- The entity controls or processes the personal data of at least 100,000 consumers during a calendar year; or
- The entity derives over 50% of its gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 consumers.
Notably absent is a CCPA-like revenue threshold.
Who is a “Consumer”?
The VCDPA’s applicability thresholds are tied to the number of “consumers” about which an entity processes personal data, and only gives rights to “consumers.” A “consumer” is a natural person who is a resident of Virginia and who acts only in their “individual or household context.” The VCDPA makes clear that an individual who is acting in a “commercial or employment context,” is not a “consumer” and does not enjoy privacy rights otherwise provided by the statute. In other words, the law does not apply to personal data collected from Virginia resident employees or data collected in the business-to-business (B2B) context.
Due to the VCDPA’s focus on individuals who act only in their “individual or household context”, the scope of the VCDPA is narrower than the CCPA, CPRA and GDPR, each of which also applies (at least to some extent) to employee and B2B information.
What is “Personal Data”?
“Personal data” is broadly defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Like the CCPA, “personal data” excludes de-identified data or publicly available information. The VCDPA imposes specific obligations on “controllers” involving the treatment of de-identified data, including requiring them to take reasonable measures to ensure the data cannot be associated with a person, publicly committing to maintaining and using such data without attempting to re-identify it, and contractually requiring any recipients of de-identified data to comply with all provisions of the VCDPA.
Does the VCDPA Contain Any Helpful Exemptions or Carve-Outs?
Like the CCPA and CPRA, the VCDPA contains several broad exemptions for entities operating in certain sectors. For example, the law does not apply to (i) financial institutions or data subject to the Gramm-Leach-Bliley Act, or (ii) covered entities, business associates and protected health information subject to the Health Insurance Portability and Accountability Act. It also exempts personal data regulated by other federal laws, including the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and the federal Farm Credit Act. In addition, the law explicitly exempts nonprofit organizations.
Like the GDPR, the VCDPA assigns in-scope entities to two categories: data “controllers” and data “processors.” Data “controllers” are, alone or jointly with others, responsible for determining the purposes and means of the processing of personal data. Data “processors” process personal data on behalf of a controller. The VCDPA imposes specific compliance obligations on both controllers and processors, and both can be held liable for violations of the law. The law also contains detailed requirements for the provisions that must be included in contracts entered into between controllers and processors. These requirements are more comprehensive than the current requirements under the CCPA for business-service provider contracts. On the other hand, unlike the CCPA, the use of GDPR nomenclature should facilitate consistency of external and internal privacy policies, employee training, and contract terms.
Like the CCPA, the law also incorporates the concept of a “third party” in connection with the definition of a “sale” of personal information (addressed below under “Consumer Rights”). “Third parties” are entities other than the consumer, controller, processor, or an affiliate of the processor or the controller.
The VCDPA grants consumers the following rights regarding their personal data, subject to certain exceptions:
- Right to Confirm/Access: The right to confirm whether a controller is processing their personal data and the right to access such personal data.
- Right to Correct: The right to correct inaccuracies in their personal data.
- Right to Delete: The right to delete their personal data.
- Right to Portability: The right to obtain a copy of their personal data in a portable and, where technically feasible, readily usable format that allows the consumer to transfer their personal data to another controller, where the processing is carried out by “automated means.”
- Right to Opt Out: The right to opt out of (a) the processing of personal data for the purposes of targeted advertising, (b) the “sale” of personal data by a controller to a third party, and (c) “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Notably, the term “sale” is defined differently than the term of art used in the CCPA as “the exchange of personal data for monetary consideration by the controller to a third party” (emphasis added). The law excludes certain activities from the definition of a sale, including, for example, disclosures to processors, disclosures to a controller’s affiliate, and disclosures made as part of a merger, acquisition, or other similar transaction.1
Restrictions on the Processing of Sensitive Data
Under the VCDPA, covered entities can only process “sensitive data” if they have consumers’ consent.2 “Consent” is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement,” which may include a written statement or any other unambiguous affirmative action. “Sensitive data” is a separate category of personal data and means: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, (ii) genetic or biometric data processed for the purposes of uniquely identifying a natural person, (iii) personal data collected from a known child, and (iv) precise geolocation data, meaning “information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy below 1,750 feet.”
Data Protection Assessments
The VCDPA requires controllers to conduct “data protection assessments” for specific personal data processing activities, including for targeted advertising, the sale of personal data, processing sensitive data, and processing data that presents “a heightened risk of harm to consumers.” Like CPRA risk assessments and GDPR data protection impact assessments, these assessments must identify and weigh the benefits of the processing activity to the controller, the consumer, other stakeholders and the public against any potential risks to the rights of consumers from the processing activity. The controller must make the assessment available to the Virginia Attorney General upon request.
The VCDPA is enforceable exclusively by the Virginia Attorney General, who may initiate civil actions against controllers and processors for violations and who can then be fined up to $7,500 per violation. A business must be given 30 days’ written notice to cure any alleged violations prior to the Attorney General initiating any civil actions. This is similar to the CCPA’s original 30-day notice-and-cure period (which was made discretionary by the CPRA). Unlike the GDPR and CCPA, there is no private right of action.
Companies currently have well over a year before the VCDPA becomes effective. Companies that are subject to the GDPR and the CCPA will recall that preparing for a new privacy law can be a heavy lift. For now, companies will want to consider taking the following steps to assess potential obligations under the VCDPA, and identify potential risk and risk reduction measures:
- Conduct an applicability analysis to see whether you meet the VCDPA applicability thresholds.
- Conduct a scoping analysis to see whether any personal data you currently process, or anticipate processing, falls within the VCDPA’s carve-outs.
- Compare the VCDPA’s requirements to the CCPA, CPRA and GDPR to understand the similarities and differences between the laws, including subtle nuances for potential impacts on your compliance strategies, product development or improvement, and commercial agreements.
- Conduct a mapping analysis to identify any processing of sensitive data and determine appropriate mechanisms for consent.
- Identify all processing activities that will be subject to a consumer’s opt-out right.
- Identify all third-party contracts that will need to be updated to reflect the VCDPA’s controller-processor language.
- Identify all processing activities for which you may need to conduct a data protection assessment.
We will continue to keep you apprised of further developments.
1) Specifically, the “sale of personal data” does not include: (1) disclosure of personal data to a processor that processes the personal data on behalf of the controller; (2) disclosure of personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer; (3) disclosure or transfer of personal data to an affiliate of the controller; (4) disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or (5) disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
2) Controllers must process sensitive data concerning a known child under 13 years of age in accordance with the federal Children’s Online Privacy Protection Act.