California tends to be on the forefront in consumer privacy laws within the United States. However, there is a growing momentum for other states to join California in legislating consumer privacy rights, as well as pushes for federal legislation. The latest state to join in and pass consumer privacy legislation is Virginia, with its Virginia Consumer Data Protection Act (VCDPA). With Virginia joining the fray, several questions arise, such as how closely does the VCDPA follow California's legislation? How, if at all, does it differ from already-existing legislation? What do businesses need to comply with the VCDPA, if at all?
WHAT IS THE VIRGINIA CONSUMER DATA PROTECTION ACT?
The VCDPA largely mimics elements from its Californian cousins, the California Consumer Privacy Act (CCPA) as modified by the California Privacy Rights Act (CPRA). The main features of the law include: (a) issuing the right to request what information is collected; (b) the right to correct information provided; (c) the right to deletion; (d) providing notice to consumers regarding the collection of their data; and (e) protecting consumer data. Further, the consumer requests, akin to the CCPA, do require verification, and similarly phrased data security practices that rely on how "reasonable" they are, depending on the volume and type of information at issue. Though, the VCDPA does expand on this slightly, requiring "data protection assessments" to determine the security of protected information, how it is shared and used, the benefits in sharing the information and harm resulting from any breaches.
Unlike the CCPA, the VCDPA does not extend to nearly as many entities as the CCPA does, limiting the businesses subject to the VCDPA to entities that collect the information of 100,000 consumers, though entities that collect the information of 25,000 consumers may be subject to the VCDPA if they derive half or more of their gross revenue from the sale of personal information. Furthermore, the number of consumers explicitly excludes individuals engaging in business to business transactions, or those seeking employment. For comparison's sake, this means that unlike the CCPA, (a) the gross revenues of the business do not matter, but rather, the collection of consumers matters; (b) even if 50% or more of the business's income is due to the sale of personal information it may not be subject to the VCDPA if the business does not collect from over 25,000 consumers; and (c) the amount of consumers counted is lower, as the VCDPA explicitly does not count those acting in context of employment or commercial contexts, and only those acting in the context of being an individual or a household.
If you do business in Virginia, you need to familiarize yourself with the new law, and what it means for your business. However, for those who are already subject to and in compliance with the CCPA, minimal action is needed to abide by the VCDPA. Preparation and education truly are the best remedy, especially as these laws seem to be taking inspiration from one another. Further, even those requirements like "data protection assessments," which were not formally required under the CCPA, may have been done informally as part of data mapping and other preparation actions in order to issue timely responses to consumer requests, meaning such measures and actions can be used to comply with the VCDPA. Failure to comply with the VCDPA does carry a penalty up to $7,500 per violation, as well as "reasonable expenses" incurred by the Virginia Attorney General to enforce the law, which could exponentially increase costs to any violation.