The Virginia Consumer Data Protection Act (HB 2307 / SB 1392) or (VCDPA) passed the Virginia House of Delegates and the state Senate on February 5, 2021. The law passed with significant bipartisan support. It will become enforceable on January 1, 2023.
This article will look at what the law requires and how you can comply.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. Who is Covered by the Virginia VCDPA?
- 1.1. Definition of "Consumer"
- 1.2. Definition of "Personal Data"
- 1.3. Consent and Sensitive Personal Data
- 1.4. Exemptions to the Virginia VCDPA
- 2. Consumer Privacy Rights
- 2.1. Exemptions from the Definition of "Sale"
- 3. Your Responsibilities Under the Virginia VCDPA
- 3.1. Only Collect Necessary and Relevant Data
- 3.2. Allow Opting Out
- 3.3. Have Data Security
- 3.4. Don't Discriminate
- 3.5. Be Mindful of Sensitive Data Processing
- 3.6. Provide a Privacy Notice
- 3.7. Have Third-Party Data Processing Agreements
- 3.8. Conduct Data Protection Assessments
- 4. Penalties for Non-Compliance
- 5. Shortcomings of the Virginia VCDPA
- 6. Summary
- 7. All US Privacy Laws
Who is Covered by the Virginia VCDPA?
The Virginia Consumer Data Protection Act (VCDPA) would cover the following:
-
Persons that do business in the Commonwealth or who produce products or services that are targeted to residents of the Commonwealth, and that:
-
During a calendar year, process or control personal data of at least 100,000 consumers, or
-
Process or control the personal information of at least 25,000 consumers and obtain over 50 percent of gross revenue from selling that data
Definition of "Consumer"
According to the Virginia Consumer Data Protection Act (VCDPA), a "consumer" is "a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context."
However, there are some crucial exceptions to this definition.
For instance, as in the WPA, a "consumer" is not someone who acts in an employment or commercial context. Moreover, these people are exempt from the legislation's provisions for consumer rights, which we describe below.
Definition of "Personal Data"
-
The Virginia Consumer Data Protection Act (VCDPA) defines "personal data" as "any information that is linked or reasonably linkable to an identified or identifiable natural person." However, publicly available information, and data that has been de-identified, is excluded from that definition.
-
"De-identified data'' is information, which "cannot reasonably be linked to an identified or identifiable natural person [or] a device linked to such person." Interestingly, companies must protect de-identified data under the VCDPA to reduce the risk of re-identification. Moreover, the law demands that the data controller (any entity that acquires and possesses the personal data of a consumer for its own use) make a public commitment not to make any effort at re-identification.
-
Any data controller that discloses de-identified information must use "reasonable" oversight methods to ensure that recipients comply with all contractual obligations and take applicable measures to handle any breaches that may occur.
-
Note that the Virginia VCDPA would not restrict either the controller's or the processor's right to "conduct internal research to develop, improve, or repair products, services, or technology."
Consent and Sensitive Personal Data
Specific categories of personal data are designated as "sensitive personal data," which includes:
-
Personal data revealing racial or ethnic origin
-
Religious beliefs
-
Mental or physical health diagnosis
-
Sexual orientation
-
Immigration or citizenship standing
-
The processing of biometric or genetic data to uniquely identify a natural person (physical or digital photographs, a video or audio recording or data generated therefrom, etc. are excluded)
-
The personal information collected from a known child
-
Precise geolocation data
The legislation defines "consent" as "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." This is another area where the Virginia VCDPA borrowed from the WPA.
When processing sensitive personal information, companies are required to obtain consent from consumers.
Finally, companies in compliance with the 1998 Children's Online Privacy Protection Act (COPPA) in terms of verifiable parental consent will also be considered in compliance with the Virginia VCDPA's requirements to acquire parental consent for individuals under the age of 13.
Exemptions to the Virginia VCDPA
The Virginia Consumer Data Protection Act (VCDPA) has several exemptions, including exceptions for higher education institutions, business associates, nonprofits, and "financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act." Exemptions are also provided for companies covered by HIPAA.
Additionally, the Virginia VCDPA cannot limit a controller or processor's ability to:
-
Comply with state or federal law
-
Cooperate with law enforcement
-
Defend legal claims
-
Provide a service or product, which a consumer requests
-
Perform a contract with the consumer
-
Detect or prevent security incidents
The law also will not forbid controllers and processors from conducting:
"internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party."
Finally, there are specific data sets exempted from the Virginia VCDPA. They include:
-
Specific personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
-
Particular kinds of data regulated by the Fair Credit Reporting Act (FCRA)
-
HIPAA personal health data
-
Data related to employment
Consumer Privacy Rights
The Virginia Consumer Data Protection Act (VCDPA) provides Commonwealth of Virginia residents with specific rights concerning privacy. These include the following:
-
The right to confirm a consumer's personal data is being processed by a controller
-
The right to access personal data possessed by a controller
-
The right to have personal data deleted
-
The right to opt-out of the processing of personal information that is intended to be used for the sale of such data, targeted advertising, or profiling the consumer, and
-
The right to acquire a copy of the consumer's personal information in a portable and usable format (provided it's technically practical) which allows the consumer to transmit the data to another controller without obstruction
In regard to all of the above, controllers must respond to consumer requests within 45 days. However, there are some cases where businesses are exempt from complying with consumer rights requests.
These include:
-
When personal information has already been pseudonymized (and safeguards are in place), and
-
When complying would be "unreasonably burdensome"
Always disclose what rights users have via a clause in your Privacy Policy. You should also let them know how they can go about exercising any of these rights if they wish to, like so:
Exemptions from the Definition of "Sale"
Unlike the California CCPA, the Virginia Consumer Data Protection Act (VCDPA) defines the sale of personal data as "the exchange of personal data for monetary consideration by the controller to a third party."
For the sake of comparison, the California CCPA adds in the words "other monetary consideration" to its definition of "sale."
Additionally, the Virginia VCDPA excludes the following from the definition of "sale:"
-
When the controller discloses personal data to a processor, which then processes the information on the controller's behalf
-
When the consumer requests a service or product and the controller discloses the data to a third party to provide that service or product
-
When the personal data is transferred or disclosed to a controller's affiliate
-
When personal information is intentionally disclosed via mass media and was not restricted to a specific audience by the consumer and is therefore available to the general public, or
-
When personal data is transferred or disclosed as an asset to a third party as part of a bankruptcy, merger, acquisition, or another transaction where the third party takes control of the controller's assets in whole or in part
Your Responsibilities Under the Virginia VCDPA
To comply with the Virginia Consumer Data Protection Act (VCDPA), companies must do the following.
Only Collect Necessary and Relevant Data
Restrict the data you acquire to only information that's necessary and relevant for specific processing purposes. For example, if you're collecting information to send out an email newsletter, you don't need to collect a home mailing address since that isn't relevant to your purpose.
Allow Opting Out
You must allow users to opt out of having cookies placed on their devices that are used for targeted advertisements.
You can do this by including an option for declining or adjusting settings on cookies used via a cookie consent notice, like this:
You should include a clause within your Privacy Policy that lets users know they can opt out, and how to do so. Here's an example:
Have Data Security
Put security safeguards in place to protect personal information.
When you have safeguards in place to keep information secure, you can alert the public and authorities of this by including a security clause like this in your Privacy Policy:
Don't Discriminate
Refrain from any discrimination against consumers that wish to exercise their privacy rights.
There's some wiggle room here for controllers provided consumers have used their rights to opt-out, or when services or products "require" their personal information. Another area where flexibility exists is in regard to premium features, loyalty programs, and discounts.
But in general, offer the same level of service to everyone regardless of whether they have opted out of sharing data with you or have exercised any of their rights.
Be Mindful of Sensitive Data Processing
Refrain from processing sensitive data without consent.
When requesting consent to process sensitive data, you can request users check a box next to a statement that they agree to your Privacy Policy, and then include a clause within your Privacy Policy stating how you will process sensitive data.
Here's an example of a checkbox like this being used to obtain consent:
Provide a Privacy Notice
Satisfy this by having a Privacy Policy that specifically discloses the following:
-
What categories of personal data you collect or process
-
What categories of personal data you share with third parties
-
The categories of the third parties that you share data with
-
Your purpose for collecting and processing data
-
If you collect or process any data for the purpose of targeted advertising, and clear instructions for how consumers can opt out of this
Here's how you can disclose information about types and categories of personal information collected in a Privacy Policy:
Disclose user rights and how they can be exercised like so:
Have Third-Party Data Processing Agreements
Data processing agreements with third party data processors must:
-
Provide instructions on the processing of personal information that includes the overall purpose and nature of the processing
-
Identify the kind of data that will be processed and must also include the length of time the processor may process the data and the obligations and rights of both parties
-
Make sure that all individuals that process personal data are bound by confidentiality in terms of that personal data
-
Delete or return all personal information once the purpose for which it was collected is fulfilled
-
Cooperate with assessments, and
-
Pass on all of the above requirements to any subcontractors
Conduct Data Protection Assessments
Before a company begins processing personal data, which "present a heightened risk of harm to consumers," and that may include targeted advertising, specific profiling activities, the sale of data, or sensitive data, it must conduct a data protection assessment.
All data protection assessments are required to compare the possible risks to consumers' rights (lessened by security measures) with the general benefits of continuing on with processing activity.
It is crucial to note that Virginia's Attorney General can force businesses to conduct a data protection assessment without a court order. However, all assessments are exempt from Virginia's Freedom of Information Act and remain confidential.
Additionally, should the Attorney General demand a data protection assessment, work product protection regarding the contents of an assessment or attorney-client privilege is not to be considered waived.
Penalties for Non-Compliance
The Virginia Attorney General's office has exclusive authority to enforce the law. It must provide companies with 30 days' notice of any violation. The offending company then has that amount of time to cure the offense.
If the company takes no action and the violation is not remedied, it could be subject to fines of up to $7,500 per violation.
Additionally, the offending company could be forced to pay "reasonable expenses incurred in investigating and preparing the case, including attorney fees."
Shortcomings of the Virginia VCDPA
Critics of the new legislation continue to argue that the legislation doesn't include provisions that allow consumers to sue companies that infringe upon their privacy rights. (In other words, there is no private right of action.)
Privacy advocates like Consumer Reports and the Electronic Frontier Foundation urged Virginia's lawmakers to increase protections in the Virginia VCDPA to the point that it was comparable with the California CCPA.
Summary
-
The Virginia Consumer Data Protection Act (VCDPA) passed the Virginia House of Delegates and the state Senate on February 5, 2021
-
The legislation aims to allow residents of the Virginia Commonwealth to opt-out of the sale of their personal data as well as the targeting of that information in a fashion similar to California's Consumer Privacy Act (CCPA)
-
The law becomes enforceable on January 1, 2023
-
The law covers persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth
-
The law exempts higher education institutions, business associates, nonprofits, and "financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act
-
The law exempts companies covered by HIPAA
-
Companies must restrict the data they acquire to only information that's necessary and relevant
-
Provide privacy notices, which disclose information such as the types and categories of personal information collected, why the data is collected, and how consumers may exercise their rights
-
Consumers have the right to opt-out, the right to access data, correct faulty data, and delete data
-
Companies must conduct data protection assessments before they begin processing personal data
-
Companies that violate the Virginia VCDPA could be subject to fines of up to $7,500 per violation and reasonable expenses incurred in investigating and preparing the case, including attorney fees
While other states in America continue to contemplate data privacy and protection laws, Virginia has effectively made itself second only to California in its efforts to pass a comprehensive privacy law.
In light of the above, companies that do business in Virginia should begin working to comply with the Viriginia VCDPA if they haven't started doing so already.
All US Privacy Laws
Want to read more about privacy laws in the USA? Start here:
COPPA: Children's Online Privacy Protection Act | Federal law that protects the privacy of children under 13 years of age when online or using a mobile app. |
HIPAA: Health Insurance Portability and Accountability Act | Federal law that protects the privacy of health information of individuals. |
California CalOPPA: California Online Privacy Protection Act | California law that requires commercial websites to properly display a compliant Privacy Policy. |
California CCPA: California's Consumer Privacy Act | California law that gives consumers many privacy rights while putting transparency obligations on businesses. |
California CPRA: California's Privacy Rights Act | California law that expands the CCPA and gives consumers additional rights. |
Virginia VCDPA: Virginia's Consumer Data Protection Act | Virginia law that allows users to opt out of the sale of their personal data. |
Maryland PIPA: Maryland's Personal Information Protection Act | Maryland law that requires businesses to keep personal information private and secured. |
Utah UCPA: Utah's Consumer Privacy Act | Utah law that provides a range of consumer privacy rights, including the right to data portability. |
Connecticut CTDPA: Connecticut's Personal Data Privacy and Online Monitoring | Connecticut law that places transparency requirements on businesses while granting consumers rights over their personal data. |
Colorado CPA: Colorado's Privacy Act | Colorado law that grants privacy rights to consumers while dictating how businesses can collect and process personal data. |
Florida FPPA: Florida's Privacy Protection Act | Florida law that lets consumers control how their personal data is used, while requiring businesses to be more transparent. |
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.