Virginia’s privacy revolution: Unpacking the VCDPA
Virginia is the second state in the US to pass a comprehensive data privacy law, with the Virginia Consumer Data Protection Act (VCDPA). Effective as of 1st January 2023, the VCDPA gives consumers increased rights over their personal data and how businesses collect and share information.
It also places new obligations on controllers and processors: i.e. companies that do business in Virginia or produce products or services targeted to Virginia residents.
The key data rights guaranteed to Virginia consumers are:
The right to access personal data,
The right to correct inaccurate personal data,
The right to delete personal data,
The right to data portability,
The right to opt out of personal data being processed for advertising,
The right to opt out of profiling based on personal data,
The right to opt out of the sale of personal data,
The right to not be discriminated against for exercising any of these rights.
There are subtle but important differences between Virginia’s data law and that of other US states. Similar to the GDPR, Virginia outlines a distinction between “personal data” and “sensitive data”.
“Sensitive data” includes data from children (under 13s), health and biometric data, mental or physical health diagnosis, data about racial or ethnic origin, religious beliefs, citizenship, political beliefs, and geolocation data.
While “personal data” is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person.
However, “consumers” are defined as a “natural person who is a resident of the Commonwealth acting only in an individual or household context”. Unlike the California Consumer Privacy Act/ California Privacy Rights Act (CCPA/CPRA), the law does not apply to employee data or business-to-business data. Other exemptions include:
De-identified/anonymised data,
Publicly available information,
Information collected as part of clinical trials, or
Sale of information to or from consumer reporting agencies.
Therefore, when it comes to the processing of sensitive data, consumers must give their consent beforehand.
Who does the VCDPA apply to?
It applies to business entities based in Virginia or that produce products or services that target Virginia residents. For the law to apply, these entities must:
Control or process the personal data of at least 100,000 Virginia residents, or
Control or process the personal data of at least 25,000 Virginia residents and derive over 50% of their gross annual revenue from selling personal data.
Unlike the CCPA, there is no revenue threshold: regardless of the size of a business, the law does not apply unless these conditions are met.
The Act also doesn’t apply to:
A public body, authority, board, bureau, commission, district, Virginian agency or any Virginian political subdivision,
Any financial institution or data that is subject to the Gramm-Leach-Bliley Act,
A covered entity or business that is subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act),
A nonprofit organization, or
An institution of higher education.
How can your business comply?
Ensuring an up-to-date and comprehensive privacy policy is public and easily accessible is crucial.
This means clear information on how data is collected and processed, how to withdraw consent and an explanation of their data rights. It is important that consumers can opt out of the sale of personal data and use of that data for targeted advertising or profiling.
Additionally, businesses must maintain sufficient security practices that protect the confidentiality and accessibility of consumer data.
This means proper data management practices, regular auditing, and training staff with the necessary knowledge and tools to maintain data integrity.
Companies must remember that compliance with one law does not guarantee compliance with the VCPDA.
Unlike the CCPA, the VCDPA does not give the private right of action for residents, so individuals cannot file private lawsuits. However, the law is enforced by the Virginia Attorney General and companies who breach it can face civil penalties of up to $7,500 per violation.
The Attorney General can also request data protection assessments (DPAs) and reports to assess how data is being processed and identify any security or privacy risks. Data controllers can be required to conduct these DPAs over processing activities including:
Data processed for targeted advertising,
The sale of personal data,
Data processing activities that may involve a “heightened risk of harm to consumers”,
The processing of sensitive data, and
Data processing for profiling and where this may present a risk of unfair treatment, discrimination, or other injuries to consumers.
While the United States is still lacking a federal piece of data privacy legislation, this law has significant positive implications. It entrenches more people’s data, it keeps businesses accountable for their management of data, and it helps to further data awareness and the need for data legislation across the country.
It is important for companies to understand their obligations under the VCDPA and take necessary steps to ensure compliance. As de-identified data falls outside the scope of the act, a useful means of managing this data is by anonymising and redacting it.