Guide to Virginia’s State Privacy Law (VCDPA)
The Virginia Consumer Data Protection Act (VCDPA) is one of five comprehensive data privacy laws in the United States. Enacted in March 2021, the VCDPA will help organizations operating in the Commonwealth of Virginia safeguard consumer data privacy by codifying specific consumer rights and organizational practices regarding data privacy. But how exactly does this Virginia law impact Virginia residents and their information? How is Virginia’s law different from Connecticut privacy law and Utah privacy law?
Continue reading for a breakdown of the various requirements outlined in the Virginia privacy laws and how your business will need to implement consumer data privacy policies and practices.
The VCDPA’s Timeline
The Virginia privacy laws will be effective starting January 1, 2023. On this date, the entire scope of the Virginia law’s regulations will apply to controllers, processors, and other third-party entities.
Which Organizations are Subject to the VCDPA?
You may be required to comply with the regulations of the Virginia Privacy Act if you provide consumers in the Commonwealth of Virginia with products or services and meet one of two requirements:
- You handle the personal data of at least 100,000 Virginia consumers.
- You handle the personal data of at least 25,000 Virginia consumers and obtain more than 50% of your gross revenue from selling personal data.
Unlike other privacy regulations, the VA privacy law does not require organizations to comply with its requirements at certain revenue thresholds. A comparison of the Virginia privacy law vs. CCPA shows that the VCDPA does not list a gross annual revenue threshold, whereas the CCPA lists one at $25 million.
Personal Information Covered by the VCDPA
The sensitive personal data categories listed under the Virginia privacy laws include:
- Data about religious beliefs
- Racial and ethnic biodata
- Mental and physical health diagnoses
- Citizenship and immigration status
- Sexual orientation information
- Genetic and biometric data
- Personal data collected from children
- Precise geographical data
VCDPA-Established Privacy Rights
The consumer privacy rights listed under the Virginia Privacy Act include the following:
- The right for the consumer to confirm whether an organization is processing their personal data and, if so, request access to the sensitive data
- The right to correct any inaccuracies in a consumer’s personal data
- The right to request the data controller to delete the consumer’s personal data from their systems
- The right to obtain a portable and readily usable copy of the consumer’s personal data from the controller and transmit it to another controller without any issues
- The right for the consumer to opt-out of having their sensitive data processed for targeted advertising, personal data sales, or profiling at risk to the consumer
Rights Response Timelines
Businesses responding to privacy requests must be mindful of several operational timelines:
- Response: 45 days
- Response extension: 45 days
- Completion confirmation: without undue delay
- Response to appeal of denied request: 60 days
Business Obligations Under the VCDPA
Under the VA privacy law, businesses are required to comply with the following obligations:
- Privacy notice – Organizations must provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” guiding them on how to exercise their privacy rights. The privacy notice shall list the following:
- The personal data categories a controller processes
- The reasons for processing these personal data categories
- The privacy rights available to consumers
- The personal data categories a controller shares with third parties
- The types of third parties with whom the controller shares personal data
- Vendor contracts – Businesses classified as controllers are responsible for establishing binding contracts with processors. These agreements must provide instructions for how personal data can be processed in compliance with the VA privacy law and should ensure the following:
- Protection of consumer data confidentiality
- Deletion of consumers’ personal data after contracted services are rendered
- Processors can demonstrate compliance with the VA privacy law regulations
- Cooperation for the assessment of privacy law compliance
- Sensitive data processing — the VCDPA requires controllers to obtain consumer consent before processing sensitive data, Personal information concerning children requires parental consent in accordance with the federal Children’s Online Privacy Protection Act (COPPA).
- Privacy impact assessments – Organizations are required to conduct data privacy impact assessments (DPIAs) to evaluate the risks and benefits of data processing activities to the consumer. DPIAs may be necessary if the consumers’ personal data will be:
- Processed for targeted advertising
- Sold to third parties
- Used for profiling at the risk of consumers’ livelihoods
- Considered highly sensitive
- Data breaches – Per § 18.2-186.6, controllers handling consumers’ personal data must report any security breaches in their systems.
How the VCDPA Handles Special Topics
When it comes to specific elements of handling consumer data privacy listed under the VA privacy law, these include:
- Children – When collecting the personal data of children, controllers must comply with the federally mandated consent requirements of the Children’s Online Privacy Protection Act. However, a parent or legal guardian of a child can exercise consumer rights on behalf of the child for personal data belonging to the child.
- Targeted advertising – Advertisements to consumers are considered “targeted” if they are selected based on information obtained from tracking consumer activities and their personal data. All forms of targeted advertising must be included in a data protection assessment.
- Profiling – If consumers’ personal data are used for profiling that may result in heightened risks of unfair or deceptive treatment, harm, or privacy intrusion, a controller must conduct a data protection assessment to evaluate the benefits of the processing activity. Consumers also have a right to opt-out of data processing if their data will be used for profiling and automated decisioning.
Exemptions & Limitations to the VCDPA
The exemptions and limitations listed under the Virginia Privacy Act include the following:
- Exempted organizations – The Virginia privacy laws do not apply to the following organizations:
- Virginia state entities or political subdivisions
- Financial institutions subject to the Gramm-Leach-Bliley Act
- HIPAA-defined covered entities and business associates
- Non-profit organizations
- Higher education institutions
- Exempted data categories – VA privacy law does not cover the following data categories:
- HIPAA-defined protected health information (PHI)
- Health records and patient-identifying information
- Private information about human subjects involved in research studies
- Information used in the federal Health Care Quality Improvement Act of 1986
- Information used in public health interest as described by HIPAA
- Personal data used in consumer credit reporting practices
- Data regulated by the Family Educational Rights and Privacy Act
- Data regulated by the Farm Credit Act
How Will the VCDPA be Enforced?
Similar to other privacy regulations—including Colorado’s privacy law, the Colorado Privacy Act (CPA), and the Utah Consumer Privacy Act (UCPA)—the Virginia Privacy Act will be enforced by the Office of the Virginia Attorney General.
If the Attorney General is notified of a potential violation, a business will be provided a 30-day cure period. If the business does not cure the alleged violation, the VA Attorney General will impose civil penalties of up to $7,500 for each violation.
Unlike the CCPA, but similar to the UCPA, there is no private right of action in the VCDPA.
Trust DataGrail for Data Privacy and VCDPA Compliance
For organizations that handle personal data collected from consumers in Virginia, compliance with the Virginia CDPA brings several new restrictions and business practice adjustments. As you scale up or continue your business operations, complying with the VCDPA and other state-level laws will become even more essential to avoiding penalties and protecting your consumers’ privacy.
Partnering with a data privacy platform like Datagrail can help you keep track of compliance processes and ensure your organization remains up-to-date with the VCDPA’s and other data privacy requirements.
Explore DataGrail’s data privacy platform to learn how a software solution can help businesses comply with regulations like the VCDPA.
Virginia’s Legislative Information System. Code of Virginia – Chapter 53. Consumer Data Protection Act. https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/
Virginia’s Legislative Information System. § 18.2-186.6. Breach of personal information notification. https://law.lis.virginia.gov/vacode/18.2-186.6/