On March 2, Virginia passed HB 2307 (Ch. 36) to enact the Consumer Data Protection Act (VCDPA), which becomes effective Jan. 1, 2023. The privacy concepts included in this act are similar to those found in the California Consumer Privacy Act (“CCPA”)/California Privacy Rights Act (“CPRA”) or General Data Protection Regulation (“GDPR”) and uses similarly defined terms such as “consumer,” “controller,” “processor,” and “personal data;” however, the VCDPA puts its own spin on privacy regulation.
Unlike the CCPA/CPRA or the GDPR, the jurisdictional scope of the VCDPA is more limited. The VCDPA only applies to data controllers (a) conducting business in Virginia or producing products or services that are targeted to Virginians, and (b) that control or process personal data of at least:
In addition, the VCPDA includes some business-friendly limitations, such as not being intended to restrict a controller or processor from conducting internal research, effectuating a recall, or performing internal operations that are reasonably aligned with consumers’ expectations. In addition, unlike the CCPA/CPRA, the VCDPA does not provide for a private cause of action.
However, like the CCPA/CPRA and the GDPR, the VCDPA contains various consumer rights for individuals whose information is collected and processed by the company.
Within 45 days of receiving a request from a consumer, a controller must comply with requests to:
Data controllers must:
The VCPDA requires a contract between a controller and a processor that contains specific provisions, such as setting forth what personal data is to be processed, instructions about how the data will be processed, and the duration of processing. In addition, the contract also must require the processor to ensure that each person processing personal data (e.g., subcontractors, vendors, and agents) for the processor be subject to a duty of confidentiality and return or delete personal data once the contract has been fulfilled.
If there is confusion about whether a party is a controller or processor, the VCPDA provides that a “fact-based determination that depends upon the context in which personal data is to be processed” should be used. If one party adheres to the instructions of a controller, then such party remains a “processor”.
Investigations and Enforcement
The Virginia Attorney General will have the power to conduct civil investigations and enforce the provisions of this act. Notably, controllers have 30 days after the Attorney General notifies them of violations to cure these defects; however, continued violations may result in civil penalties of up to $7,500 for each violation plus expenses.