Virginia’s new consumer protection law
On January 1, 2023, the Virginia Consumer Data Protection Act (VCDPA) comes into force. With the passage of the law earlier this year, Virginia joined Colorado and California as the only states to enact comprehensive privacy legislation. The VCDPA includes elements similar to the California Privacy Rights Act (CPRA), including granting certain rights to residents of Virginia, creating obligations for companies doing business in Virginia, and granting authority to important execution to the attorney general of Virginia. However, like the Colorado Privacy Act (CPA) discussed in a previous customer alert, the VCDPA does not include employee personal data. Organizations need to start compliance efforts now to avoid regulatory review.
Covered businesses and applicability
Covered entities. Like the ACPL, the VCDPA establishes thresholds to determine applicability. In particular, the VCDPA applies to entities that do business in Virginia or manufacture products or services for residents of Virginia and that control or process personal data of at least:
(1) 100,000 consumers during the calendar year or
(2) 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
Unlike the ACPL, there is no revenue threshold, which means that large companies that do not meet these requirements can avoid obligations under the VCDPA. The VCDPA also provides exemptions for: (1) agencies and agencies in the State of Virginia, (2) financial institutions or data subject to the Gramm-Leach-Bliley Act, (3) entities covered by the law HIPAA and the Health Information Technology for Economic and Clinical Health Act. , and (4) higher education institutions.
Covered individuals. A “consumer” is a person who resides in Virginia “acting only in an individual or family context”. The definition goes on to expressly exempt a person acting in a “business or employment” context. This is an important distinction that is not present in the CPRA, which is expected to apply to employee data on January 1, 2023.
Personal and sensitive data. The VCDPA defines “personal data” broadly as “any information related or reasonably related to an identified or identifiable person”. Two exceptions are foreseen for publicly accessible information and anonymized data. Similar to GDPR and CPRA, VCDPA also regulates “sensitive data”. Sensitive data is defined as a category of personal data which includes: (i) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation or citizenship or status immigration; (ii) genetic or biometric data for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child; or (iv) precise geolocation data. The protections of sensitive data are described in more detail below.
Obligations of the controller and the processor
Like the GDPR, the VCDPA distinguishes between controllers (companies responsible for determining the purpose and means of processing personal data) and processors (companies which process personal data on behalf of controllers). Generally, a processor is required to follow the instructions of a controller and help the controller to fulfill its obligations under the VCDPA. Written contracts between controllers and subcontractors are required before processing personal data.
A controller is required to comply with several key obligations, including:
Provide consumer privacy notices describing the data processing practices of the Controller and consumer rights;
Establish and implement reasonable data security practices to protect personal data;
Limit the collection of personal data to what is reasonably necessary for the purposes for which the data is processed;
Obtain consumer consent before processing sensitive data;
Respond to consumer rights demands; and
Carry out data protection assessments in certain circumstances, including the sale of personal data, the processing of personal data for the purposes of targeted advertising or profiling, the processing of sensitive data and any processing activity involving personal data which present an increased risk of harm to consumers.
The VCDPA offers consumers rights of access, rectification, deletion and portability, as well as the right to opt out of certain data processing operations. Entities are required to respond to requests within 45 days of receiving the request. The VCDPA also offers consumers the right to refuse the processing of personal data for the purpose of targeted advertising, the sale of their personal data to third parties and profiling for decisions that produce important legal or similar effects concerning the consumer. Unlike the CPRA, consumers in Virginia can only opt out of the sale of personal data if the data is exchanged for monetary consideration. However, both the VCDPA and the ACPL offer consumers an explicit right of opt-out for certain forms of targeted advertising and profiling.
Application of the VCDPA
The Virginia Attorney General will retain exclusive authority to enforce the VCDPA. This includes the power to initiate investigations into controllers and contractors. Unlike the ACPL, however, no private right of action is provided for in the VCDPA, and the text expressly excludes interpretation in support of an implied right of action. Violations of the VCDPA can result in civil penalties of up to $ 7,500 for each violation as well as any reasonable expenses incurred by the government to investigate and prepare the case. This includes attorney fees.
Key points to remember
State-level momentum for comprehensive privacy legislation is at an all time high. And the responsibilities of organizations will continue to expand as consumers’ rights to data increase. Although the VCDPA does not come into effect until January 2023, organizations should start preparations now, as non-compliance can be costly. The preparatory steps include:
Determine if the VCDPA will apply to your business;
Understand the consumer data your business processes; and
Consult with experienced professionals.