The (VCDPA) Virginia Consumer Data Protection Act was signed into law on March 2, 2021, by Governor Ralph Northam. After California, they are the second state to institute such legislation.
The new regulations, which officially take effect on January 1, 2023, will change how companies are allowed to collect and use their clients’ data. Although the law has many similarities with those in effect in California, it differs in many salient aspects.
While it is similar in that it allows Virginia residents the right to know, access, delete, correct, and opt-out of the processing and sale of their personal information for marketing and advertising purposes.
The VCDPA more closely resembles the measures in the European Union’s GDPR (General Data Protection Regulation).
It emphasizes ‘processer’ and ‘controller’ terminologies and data protection assessment requirements. It also places enforcement responsibility of the law entirely on the shoulders of the Attorney General’s office.
Who Must Comply with VCDPA Requirements?
This legislation applies to any company that either operates in Virginia or sells its products or services in the state. These companies either handle the personal information of over 100,000 resident clients or obtain over 50 % of their revenue from selling off personal client data.
As long as a company’s economic activities trigger state tax liabilities or personal jurisdiction, they qualify as ‘doing business in the state.
These statutes do not seem to focus too much on the revenues or profits of the companies it targets rather than the volumes of client data they collect, process, and profit from. Thus, certain large organizations may find themselves exempt from the VCDPA laws.
It affords data-specific and entity-level exemptions to companies that:
- Official State agencies and institutions
- Financial institutions and data falling under the GLBA (Gramm-Leach-Bliley Act) protection
- Business associates and covered entities under the Health Information Technology for Economic and Clinical Health or HIPAA (Health Insurance Portability and Accountability Act)
- Non-Profit institutions
- Institutions of higher learning
How is Personal Data Defined?
The VCDPA defines personal data as any information that may be reasonably linkable or linked to an identifiable or identified natural living person. However, this excludes publicly available information, pseudonymous data (data that cannot be linked directly to a person without more information), or employment data.
Consumer Rights to Personal Information
Under this law, a ‘consumer’ is anyone who resides in Virginia, excluding those acting in employment or professional contexts, meaning that business-to-business interactions are exempt.
Access, Deletion, Anti-discrimination, and Correction
Under the VCDPA, residents of Virginia will enjoy the right to access, delete, or correct their personal data. In addition, those in control of their information will be compelled to implement mechanisms providing effective means by which consumers can carry out such procedures and describe them in privacy notices.
This legislation offers controllers fewer avenues they can use to deny these capabilities to consumers who request them. The VCDPA also protects all consumers who decide to exercise their rights by this legislation.
Under this law, Virginians will have broader opt-out rights than those affected in California. Californians can only opt-out of selling their information when the sale is directly tied to monetary gain (transfers to processors and affiliates are exempt) or for behavioral cross-context advertising.
The VCDPA goes further, allowing consumers to opt-out of targeted advertising programs. They may also choose to opt-out of any processing that may result in profiling that might have legal ramifications.
Under these new regulations, consumers will have the right to choose whether ‘sensitive’ personal data may be processed or not. The controllers will have to ask consumers beforehand before handling such data.
Sensitive data includes sexual orientation, immigration status, physical health diagnosis, citizenship status, mental health status, religious beliefs, racial or ethnic origin, genetic data, precise geolocation data, biometric data, and data collected from a known minor.
The difference between this clause in Virginia’s case and what California has in place is that California companies do not have to ask individual consumers for their consent. However, they are somewhat limited regarding what they are allowed to do with this type of information once they have it.
There are certain responsibilities placed on the shoulders of organizations and businesses collecting consumer data, which include:
Technical Safeguarding and Data Minimization
In a nutshell, the VCDPA limits the use of consumer data by companies to what is compatible with and necessary for the purposes they had disclosed to their consumers unless they obtain their consent beforehand. They are also responsible for keeping any information they collect secure.
The VCDPA is similar to European (GDPR) systems. It compels data controllers to carry out what they refer to as data protection assessments, which evaluate the risks to consumer data regularly.
It also requires controllers and processors to conduct their activities under the guidance of a clearly defined data processing agreement. It also holds them responsible for reporting any data breaches that they may experience.
Enforcing the VCDPA
The responsibility of making sure that the rules and regulations set out in the VCDPA are adhered to by all parties involved falls under the purview of the Attorney General’s office.
This office may seek damages and injunctive relief to the tune of $7,500 for each VCDPA violation an entity is charged with. Private citizens are not granted the right to take private action against organizations that violate their data privacy rights, while California legislation does.