By Dan Sholler
On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. Virginia is the second state to enact a comprehensive state privacy law, following California, yet its substance draws from both California’s laws—the California Consumer Privacy Act (CCPA), and the newly enacted California Privacy Rights and Enforcement Act (CPRA). The Virginia legislature is the first to enact such a law of its own—the California Legislature enacted the CCPA to preempt a ballot initiative in 2018 (and the CPRA was passed as a ballot initiative by California voters).
The VCDPA, which will go into effect on January 1, 2023, differs from other enacted state privacy laws, and companies doing business in Virginia or marketing to Virginians will need to reassess their collection and use of consumer personal information and modify their compliance efforts.
Need to Know Information
How does this differ from California Privacy Laws? The VCDPA will grant Virginia residents the rights to access, correct, delete, know, and opt-out of the sale and processing for targeted advertising purposes of their personal information, similar to the CCPA and CPRA. However, the VCDPA departs from its California counterparts and aligns with the European Union’s General Data Protection Regulation (GDPR) in a few key respects, including with respect to the adoption of data protection assessment requirements, and “controller” and “processor” terminology. The VCDPA also departs from the CCPA and CPRA by leaving enforcement entirely up to the Attorney General and not providing even a private right of action for consumers.
What are the Data Minimization Requirements under VCDPA?
Like the CCPA/CPRA, the VCDPA limits businesses’ collection and use of personal data and requires the implementation of technical safeguards. The VCDPA explicitly limits the collection and processing by controllers of personal data to that which is reasonably necessary and compatible with the purposes previously disclosed to consumers. Also, like the CPRA and the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the VCDPA requires that businesses establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data,” as appropriate to the volume and nature of the personal data at issue.
Similarities in GDPR Requirements:
The VCDPA requires controllers to conduct “data protection assessments,” to evaluate the risks associated with processing activities that pose a heightened risk—such as those related to sensitive data and personal data for targeted advertising and profiling—and the sale of personal data. Unlike the GDPR, however, the VCDPA does not specify the frequency with which these assessments must occur. Like Article 28 of the GDPR, the VCDPA also requires that the controller-processor relationship be governed by a data processing agreement. The VCDPA does not displace or amend businesses’ existing obligations under Virginia law to report data breaches.
Expert Analysis from Dan Sholler, Exterro Data Privacy
The addition of Virginia to the U.S. privacy portfolio creates another jurisdiction with subtly different regulation and regulators. And it is unlikely to be the last. This creates uncertainty about what overall privacy compliance actually looks like. This uncertainty demands proactive engagement with the regulators (or with industry groups engaged with the regulators) to head off unpleasant surprises later on.
Data Privacy Tip
Link your data management engine with multiple privacy, legal and business regulatory obligations to substantiate your decisions based on rich, contextual data insights. Ask us how!