On March 2, 2021, Virginia enacted the Virginia Consumer Data Protection Act (VCDPA), becoming the second U.S. state, after California, to enact a comprehensive data privacy law. Although the California Consumer Privacy Act (CCPA) and the VCDPA are at the forefront of the data privacy legislation charge, twenty-seven other states have enacted or introduced similar legislative efforts.
The VCDPA applies to businesses that:
- conduct business in Virginia or market their products or services to the residents of Virginia; and
- control or process the personal data of 100,000 or more Virginia residents; or
- control or process the personal data of 25,000 or more Virginia residents and derive more than 50 percent of their gross revenue from the sale of that personal data.
Under the VCDPA, consumers are granted certain rights and protections with relation to their personal data when it’s collected by covered businesses, including:
- the right to be made aware of when a business is collecting personal data, and the right to access and confirm the information that is collected;
- the right to correct inaccuracies;
- the right to delete personal data collected;
- the right to obtain a copy of their personal data in a portable and readily usable format;
- the right to opt out of:
- the processing of their data for targeted advertising purposes;
- the sale of their personal data to third-parties; and
- the profiling of their personal data.
- the right to not be discriminated against by the data processor or controller in exercising any of these aforementioned rights.
In addition, the VCDPA requires that when a covered business uses a third-party data servicer or processor, the business is required to enter into a contract with that third-party entity that implements the act’s requirements in this same manner.
Sensitive Personal Data
The VCDPA extends specific privacy rights where the personal information of a consumer that is being collected or processed can be categorized as “sensitive personal data.” Sensitive personal data is defined under the act as
- data which reveals a consumer’s “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status”;
- genetic or biometric data that is being collected to uniquely identify the consumer;
- personal data which was collected from a personal known to be younger than 13 years of age; or
- data which reveals the precise geolocation of a consumer.
Under VCDPA, sensitive personal data cannot be processed without obtaining the consent of the consumer, which is defined as an affirmative act on the part of the consumer which evidences a “freely given, specific, informed, and unambiguous agreement” to permit a controller or processor to engage in an activity. However, if the consumer is a child, then the VCDPA requires that the processing of their sensitive personal data must be done in accordance with the Children’s Online Privacy Protection Act (COPPA).
Data Protection Assessments
Under the VCDPA, data collectors will be required to conduct a “data protection assessment” to ensure their compliance with the provisions of this act and all other applicable laws or regulations after January 1, 2023.
These assessments should be conducted for the following activities:
- personal data processing for the purpose of targeted advertising;
- conducting a sale of personal data;
- processing personal data for profiling if the profiling presents a “reasonably foreseeable risk” of
- “unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or other substantial injury to consumers.”
In preparing these assessments, controllers are required to identify and weigh the benefits that the controller, consumer, and other stakeholders may receive or derive from processing against the potential risks that the consumer may incur from processing. In assessing the potential risks, the controller may consider the organizational safeguards used to protect the consumer’s rights.
These assessments must, upon request, be turned over to the Virginia Attorney General (AG) for investigative purposes and compliance reviews. The act makes clear that this review process will maintain the confidentiality of the assessment and will not negate attorney-client privileges or work product protections.
The VCDPA will be enforced by the Virginia AG. Under the terms of the act, the AG may grant businesses a 30-day cure period upon determining that a violation has occurred. However, failure to comply with this opportunity to cure may result in an organization incurring civil penalties of up to $7,500 per violation.
The VCDPA will become effective on January 1, 2023. As such, businesses have a substantial amount of time to review their data collection, processing, or redistribution policies and procedures–as well as their contracts governing third-party engagement in these activities.