Privacy
The Virginia Consumer Data Protection Act Goes Into Effect January 1, 2023
December 23, 2022
Signed into law on March 2, 2021, the Virginia Consumer Data Protection Act (VCDPA) was the second comprehensive state privacy law, following California, but the first to be initiated by the state legislature. It goes into effect on January 1, 2023, the first of four state privacy laws to begin enforcement this year.
Overview
While the VCDPA draws substantially from its predecessors in California, that state’s legislature enacted the CCPA to preempt a ballot initiative in 2018, while the CPRA was passed as a ballot initiative by California voters. Companies doing business in Virginia or marketing to Virginians will need to have implemented measures to ensure their collection and use of consumer personal information and meets the requirements of the law.
The VCDPA will grant Virginia residents the rights to access, correct, delete, know, and opt-out of the sale and processing for targeted advertising purposes of their personal information, similar to the CCPA and CPRA. In other respects, VCDPA aligns with GDPR, including the adoption of data protection assessment requirements and “controller” and “processor” terminology.
Like the CCPA/CPRA, the VCDPA limits businesses’ collection and use of personal data and requires the implementation of technical safeguards. The VCDPA explicitly limits the collection and processing by controllers of personal data to that which is reasonably necessary and compatible with the purposes previously disclosed to consumers. Also, the VCDPA requires that businesses establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data,” as appropriate to the volume and nature of the personal data at issue.
The VCDPA requires controllers to conduct “data protection assessments” to evaluate the risks associated with processing activities that pose a heightened risk—such as those related to sensitive data and personal data for targeted advertising and profiling—and the sale of personal data. Unlike the GDPR, however, the VCDPA does not specify the frequency with which these assessments must occur. Like Article 28 of the GDPR, the VCDPA also requires that the controller-processor relationship be governed by a data processing agreement. The VCDPA does not displace or amend businesses’ existing obligations under Virginia law to report data breaches.
Who It Covers:
The VCDPA applies to business entities, including for-profit and B2B companies conducting business in Virginia or that produce products or services that target Virginia residents and, during a calendar year, either:
- Control or process personal data of at least 100,000 Virginia residents, or
- Derive 50% of gross revenue from the sale of personal data AND control or process personal data of at least 25,000 Virginia residents
Enforcement
The VCDPA departs from the CCPA and CPRA by leaving enforcement entirely up to the Attorney General and not providing a private right of action for consumers.
Expert Analysis from Constantine Karbaliotis, CIPP/C/US/E, CIPT, CIPM, FIP, Counsel, nNovation, LLP
Virginia’s VCDPA increases data governance considerations around the management of personal data and presents some additional challenges for organizations operating across multiple states, in terms of strategizing approach to developing uniform mechanisms for consumers to interact with them. VCDPA requires explicitly a privacy impact assessment in a broader number of circumstances than CCPA, where it is required where there is a significant risk. VCDPA requires PIAs for targeted advertising and profiling, selling personal data, processing sensitive data, or conducting any activity that creates a heightened risk of harm to consumers.
Virginia’s law also grants different rights to consumers than California’s CCPA. A consumer has an explicit right to confirm whether a controller is processing personal information, and the right to data portability explicitly requires the information be provided in a format readily imported to another controller. Most importantly, Virginia requires opt-in for the processing of sensitive data, while California only requires opt-out. Conversely, consumers in Virginia do not have a right to opt out of processing data for measurement of advertising effectiveness. Finally, Virginia’s right to request to delete data applies to data obtained about the consumer, while CCPA only applies to data provided by the consumer.
DATA PRIVACY TIP:
Make sure you’re ready for VCDPA using this compliance checklist.
