Data Privacy

Virginia Privacy Law

Sue Poremba, August 16, 2021


After California passed the CCPA, a number of states announced that they, too, were looking into data privacy laws. Still, since the California Consumer Privacy Rights law was passed in 2018, Virginia was just the second state to sign a comprehensive consumer privacy bill into law. The Virginia Consumer Data Protection Act (VCDPA) was signed into law during a special legislative session in March 2021 and will go into effect on January 1, 2023.

If the Virginia privacy law looks familiar, it’s because they are using some of the same elements as the CCPA along with some parts of the privacy bill introduced in Washington state. Residents of the Commonwealth will be the primary benefactors from the VCDPA. The Virginia privacy law will apply to an entity that conducts business in Virginia or targets their services and goods to Virginia consumers, but only if that business entity processes or controls the personal information of at least 100,000 customers per calendar year and/or processes or controls the personal information of at least 25,000 customers while 50% of the gross revenue comes from selling consumer data.


How VCDPA Differs from Other Privacy Laws

There are glaring differences between the VA privacy law versus what we’ve become familiar with from GDPR and CCPA.


First is the definition of “consumer.” In Virginia’s case, a  consumer is primarily a resident of Virginia and “acting only in an individual or household context,” but very specifically excludes “any person acting in a commercial or employment context.” Data privacy protections don’t include the information held from business-to-business or PII belonging to employees.

Sale of Data

 How the sale of data is defined is also unique to VCDPA. According to IAPP, “Unlike the California Consumer Privacy Act (CCPA), under which a sale occurs where sensitive personal data is exchanged for ‘monetary or other valuable consideration,’ the CDPA requires that the consideration must be monetary to qualify as a sale of data.”

However, there are exclusions to this provision, including data that consumers purposely make available to the general public (i.e., a social media posting), data disclosures to a third party providing a specific service or product, and any transfer of consumers’ personal data during a business merger or acquisition.

Exclusion of Data Shared on Social Media

 The exclusion of data shared by consumers on social media or for mass public consumption could be an area to watch as VCDPA takes shape. According to a WeAreSocial blog, “Data footprints in the realm of social media are significant, thanks to internet users now spending an average of 2 hours and 24 minutes per day on social networks and messaging apps, and sharing personal content and information while there.”  

Yet, consumers are concerned about how social media companies use the personal information shared on those sites. Virginia residents could be under the impression that VCDPA will protect them from such misuse, but as the Virginia law reads now, there will be no protections for anything posted freely. Will Virginia consumers be protected if a third party shares information about them?

Opting Out

If Virginia residents don’t like being bombarded with targeted advertising, they have the right to opt out of any processing of their personal information used for this purpose or any other type of profiling. Also, any company that buys and uses consumers’ personal data has to gain the consent of the Virginia resident before using any sensitive data, defined here as “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status,” or any genetic, biometric, or geolocation data. 

Businesses must respond to any opt-out request within 45 days, with a 45-day extension if the business can provide a written explanation defining the reason for a requested delay.

Who Is Exempt from VCDPA

Not every organization in Virginia will be required to follow the new privacy law. Besides the organizations that don’t meet the previously mentioned data collection and consumer thresholds, the following organizations are exempt:

  • Virginia public entities, such as governments and government agencies;
  • Organizations that are subject to the Gramm-Leach-Bliley Act;
  • Organizations that are subject to HIPAA laws;
  • Non-profit organizations; and
  • Higher education institutions.

There are data exemptions, as well, that include:

  • Health information that falls under HIPAA and under other health regulatory compliances;
  • Employee data held by an employer used for business and benefits purposes;
  • Personal data collected in compliance with the federal Driver’s Privacy Protection Act;
  • Personal data collected regulated by the federal Family Educational Rights and Privacy Act; and
  • Any data collected during the process of applying for a job and subsequent employment.

Consequences for Non-Compliance

The Virginia attorney general’s office will have sole control of the enforcement of Virginia CDPA. Note that the data collected and processed after the 1st of January, 2023, will be included in the assessment.

If any action is taken, the business has 30 days to fix any violations and provide a written statement that confirms the violation has been addressed. If this does not happen, the business can be fined up to $7,500 per violation at the attorney general’s discretion. Virginia residents, however, do not have a private right of action against violations, something that is offered in CCPA.

Any fines collected due to VCDPA non-compliance will be put into a “consumer privacy fund” run by the Commonwealth’s treasury department and will be used for specific purposes, most likely related to improving data privacy protections.

Legal experts believe Virginia’s data privacy law will be easier for organizations to meet compliance than others. Legal experts believe compliance with Virginia’s data privacy law will be easier than other states’ data privacy laws.  Still, the greater concern is how it adds a second layer to what will likely be a patchwork of data privacy laws across all 50 states.

“More state data laws also mean a lower chance of a federal bill that would supersede states’ acts and require more regulations,” Ashley L. Taylor Jr., a partner at Troutman Pepper, told Virginia Business. But with Virginia coming on board as the second state with a data privacy law, there is hope that other states wanting to adopt such laws will find common ground that will offer a national model.

Virginia is another recent example of states introducing and passing privacy laws. Curious how your business can stay ahead of the privacy trend and automate compliance? Check out our latest report licensed by Gartner that covers strategies for identifying risks and automating compliance.