VCDPA: Virginia’s Consumer Data Protection Act Explained

The Virginia Consumer Data Protection Act (VCDPA) was enacted in 2021 and is designed to provide enhanced data protection to its consumers, complete with administrative recourse for violations.

Virginia is one of four US states to develop a comprehensive data protection law for its residents, similar to California’s Consumer Privacy Act (CCPA) of 2018 and its supplemental California Privacy Rights and Enforcement Act (CPRA) of 2020. The other two states with data privacy laws are Utah and Colorado.

Although the VCDPA does not take effect until January 1, 2023, it’s important to determine its future applicability to your business to avoid potentially costly penalties.

Read on to learn more about the VCDPA and what you need to do to comply. Specifically, we’ll cover how consumers are affected, who must comply, how businesses can comply, and how the law will be enforced.

What Is the Virginia Consumer Data Protection Act (VCDPA)?

The VCDPA is a Virginia data protection law that gives consumers more control over the personal information that businesses collect about them and provides guidance to businesses on how to implement enhanced privacy measures. It is currently one of the four US data privacy laws that have been passed.

The VCDPA regulates how businesses are allowed to handle personal information that is linked or reasonably linkable to an identified or identifiable natural person who is a resident of Virginia.

For consumers, the VCDPA grants specific rights related to the use of their personally linkable data. These include the right to:

• Access their personal data
• Correct personal data
• Request deletion by businesses
• Obtain a copy of personal data
• Opt-out of the processing of personal data
• Opt-out of targeted advertising and sales
• Non-discrimination for exercising rights
• Submit a complaint about rights violations

What Are the Requirements of the VCDPA?

The requirements under the VCDPA specifically relate to how your business collects and processes the personal information and data of consumers.

For compliance with VCPDA requirements, your business must present and explain all available consumer rights in a clear and accessible manner. In addition, your business must set up a process for consumer communication, obtain consumer consent as necessary, and be completely transparent about how you share and sell a consumer’s personal data.

These new rules establish how your business can obtain, disclose, use, share, store, sell, process, or control the consumer data and personal information that you collect. It also requires businesses to conduct data protection assessments related to processing personal data for targeted advertising and other sales purposes.

Consumer Requirements

To meet the threshold requirements of the VCDPA, you must conduct business in Virginia or produce products or services that are targeted to residents of Virginia — this may cover a large number of businesses.

For example, if your global website targets consumers throughout the United States, this would include residents of Virginia. You should also comply with the VCDPA if your EU-based site targets EU, UK, and US consumers, even if you have relatively few US users compared to EU and UK users.

The remaining requirements have to do with the number of consumers affected by your business practices during a calendar year and whether or not you:

• Control or process the personal data of at least 100,000 consumers
• Control or process the personal data of 25,000 consumers and derive over 50% of your gross revenue from the sale of personal data

Personal Data Defined

Personal data is defined under the VCDPA as any information that is linked or reasonably linkable to an identified or identifiable natural person.

The VCDPA’s definition of personal data to be protected includes:

• Names
• Addresses
• Social security numbers
• Driver’s license
• Precise geolocation data

Sensitive personal information includes:

• Racial or ethnic origin
• Religious or political convictions
• Genetic or biometric data
• Citizenship or immigration status
• Sexual orientation
• Data collected from known children

Data Privacy Policy

Privacy policy usually begin with the fact that data is being collected, followed by a detailed explanation of the types of data that a business may collect and a consumers’ right to access and control that data.

The VCDPA requires you to place the following in a clear, reasonably accessible, and meaningful privacy notice that specifies:

• The purpose for processing personal data
• Categories of data processed
• Categories of data shared with third parties
• Categories of data sold to third parties
• Discloses categories of third parties themselves
• Explains how consumer requests can be submitted
• Provides a mechanism for appeal of decisions related to consumer requests
• Clearly discloses the processing of personal data for targeted advertising
• Provides the right to opt-out of processing data

Consent

The VCDPA requires businesses to obtain explicit and affirmative consent from consumers indicating their informed and unambiguous agreement to the processing of their personal data.

Businesses may obtain consent by getting consumers to show that they consent to the processing of their personal data. This is usually done by getting consumers to:

• Check a blank electronic checkbox
• Type a written statement — i.e., “I agree to let [company name] process my personal data.”

Your business must take care when dealing with children. While consent is expressly required when processing a consumer’s sensitive data, a child’s information must comply with the federal Children’s Online Privacy Protection Act (COPPA).

Voluntary Consent

Personal data can be collected and shared for any purpose as long as the consumer gets notified and gives voluntary consent.

In other words, the consumer must be able to make the choice on their own. For example, if you’re using a checkbox to get their consent, you need to provide a blank checkbox that they can check off. A blank checkbox allows them to “opt-in” to your terms and conditions.

In contrast, if you give consumers a pre-ticked checkbox, you’ve already made their choice for them.

Record Keeping

There are no significant recordkeeping requirements in the Virginia Consumer Protection Act, aside from documenting data protection assessments. However, these can be cumbersome as they require each business to conduct and document a data protection assessment for:

• The processing of personal data for purposes of targeted advertising
• The sale of personal data
• The processing of personal data for purposes of profiling
• The processing of sensitive data
• Any processing activities involving personal data that present a heightened risk of harm to consumers

Appeals Process

If you fall under the parameters of the VCDPA, your business must establish a process to handle consumer requests and appeals of decisions.

You must answer an authenticated consumer rights request within 45 days. If the consumer wishes to appeal whatever decision has been made, your entire appeals process must conclude within 45 days of receipt.

During that time, a grace period of an additional 45 days is allowed when reasonably necessary.

In addition, your business must provide a mechanism — online, if available — to contact the Virginia Attorney General’s Office office for a consumer to submit a complaint if their appeals request gets denied.

If an online method is unavailable, you must provide another method to contact the Virginia AG.

VCDPA vs. CCPA/CPRA: Similarities and Differences

The VA consumer law was created in the wake of California’s data privacy laws. Those initial laws created the strictest data privacy and digital consumer rights law in the United States. Virginia has incorporated the best of these laws to create a comprehensive Virginia data protection act that is both clear and accessible.

Let’s review California’s policies.

California Consumer Privacy Act (CCPA)

On January 1, 2020, the California Consumer Privacy Act (CCPA) became the law in California and established rules and regulations on how to handle the personally identifiable information of California residents.

The CCPA primarily focuses on privacy laws that require that you present a cookie policy that explains the cookies you collect and store and how you or third parties may use them.

Presently, you must comply with the rules of the CCPA if your business meets any of the following:

• Gross annual revenue of over $25 million
• Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices
• Derive at least 50% of annual revenue from selling California residents’ personal information

California Privacy Rights Act (CPRA)

In November 2020, a supplement to the CCPA was put in place that served to amend data privacy law requirements in California.

The California Privacy Rights Act (CPRA) is a powerful data privacy law that affects the privacy and notice requirements of all websites that may be directed at or accessible to consumers in California.

The CPRA does not replace the CCPA but amends it to benefit consumers by increasing consumer rights and fully delineating business compliance requirements. Both the VCDPA and the amendments of the CPRA will go into effect on January 1, 2023.

For the CPRA, two significant requirements will change:

• Increasing the threshold applied to the handling of personal information from 50,000 California residents to 100,000
• Information-sharing will be treated as protected personal data — rather than just buying, receiving, or selling

The VCPDA also requires disclosures regarding the handling and use of shared personal data.

In an interesting addition to the CPRA, any data collected by businesses from January 1, 2022, will be subject to compliance with the CPRA. This addition is termed a lookback period to verify that personal data was handled properly. The VCPDA does not include a lookback period.

Virginia Consumer Data Protection Act (VCDPA)

After the California addendum and expansion, the VCDPA appears to have taken the best of what these other laws have to offer. It is concise, clear, and clarifies certain exemptions to its regulations.

Annual Revenue

The VA consumer protection laws will apply to your business if you handle or control the personal data of 100,000 Virginia residents or you handle or manage the personal data of 25,000 Virginia residents while deriving 50% of your gross revenue from the sale of personal data.

Concerning annual revenue and the scope of compliance, the VCDPA is closer to the CPRA in its threshold requirements since it has added sharing to its disclosure and privacy notice requirements.

Because the sharing of information is so prevalent, this will undoubtedly affect many businesses in Virginia.

Internet Activity

Unlike California requirements, the Virginia consumer data protection act does not add devices to its protected class of information, and it is unclear whether internet activity is protected. This activity would include ​​online browsing history, search history, and IP addresses that could be traced back to a consumer’s device and potentially link to their identity.

“Do Not Sell/Share My Information” Page

At present, the VCDPA does not require disclosures alerting consumers that their personal data is being sold or shared. However, it does require a privacy notice explaining how to opt out of the processing of their personal data and opt-out of targeted advertising and sales.

This is a less cumbersome requirement than being required to post conspicuous links on your pages.

Under the amended CPRA, if your business shares or discloses personal information to third parties for cross-context behavioral advertising, consumers must be informed. While it’s true that the VCPDA requires notice and the choice to opt-out, when the CPRA goes into effect, it will require an explicit and noticeable link stating “Do Not Share My Personal Information” and another titled “Limit the Use of My Sensitive Personal Information.”

If your business processes the personally identifiable data of California residents, along with other threshold requirements, you may also be subject to these laws.

Enforcement

Like the California data privacy laws, Virginia’s data privacy law gives the Attorney General’s office enforcement authority in their state.

The CPRA amendment to the CCPA strengthens enforcement authority by establishing a new government agency to enforce their data privacy laws, named the California Privacy Protection Agency (CPPA).

Virginia has no separate agency to handle and enforce consumer complaints.

Further, in contrast to the CCPA, the VCDPA expressly states that consumers do not have a private right of action like the CCPA does to sue companies for alleged violations. Instead, they must seek enforcement through the Attorney Generals’ Office.

How Are Consumers Impacted by the VCDPA?

The VCDPA provides consumers the tools to protect the personal information and data they share with businesses. However, only certain categories of consumers are impacted.

A consumer protected under the VCDPA is defined as a natural person who is a resident of the Commonwealth of Virginia and acting only in an individual or household capacity.

This definition means that the obligations placed upon businesses by the VCDPA do not extend to someone acting in a commercial or employment context.

Personal data is also categorized, with personal data consisting of any information that is linked or reasonably linkable to an identified or identifiable natural person. This does not include any data that has been previously de-identified or any information already publicly available.

How Are Businesses Impacted by the VCDPA?

The VCPDA requires businesses to be more transparent in their handling of consumers’ personal information and data. This new Virginia data privacy law affects how companies obtain, use, access, store, disclose or share their clients’ personal information.

Businesses will need to develop stronger data protection processes and controls to respond both to consumer requests and complaints quickly. In this way, the VCDPA specifically impacts the method of communication between your business and your clients.

Who Must Comply With the VCDPA?

Your business must comply with the VCDPA if you conduct business in Virginia or target your products and services to residents of Virginia.

In addition, compliance is dependent on the number of consumers affected. At a minimum, your business must control or process the personal data of at least:

• 100,000 consumers during a calendar year
• 25,000 consumers when 50% of your gross revenue comes from the sale of personal data

Are There Any Exemptions?

Yes, the VCDPA provides exemptions from its requirements depending on the type of business or entity involved and the types of information and data you collect.

Exemptions for businesses or entities:

• Banks or financial institutions
• State agencies
• Nonprofit organizations
• Colleges and universities

Exemptions for certain information and data:

• Companies acting in commercial or employment contexts
• Protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
• Personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
• Information and data related to credit reports, as regulated by the federal Fair Credit Reporting Act (FCRA)
• Information and data related to vehicle driver information, as regulated by the federal Driver’s Privacy Protection Act of 1994
• Information and data subject to Title V of the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.), which largely regulates banks and financial institutions

How Can Businesses Comply With the VCDPA?

Businesses can comply with the VCDPA by being transparent about the data and personal information they collect. Moreover, steps and procedures must be outlined that are clearly visible and accessible to all consumers.

If your business is subject to the VCDPA, you will have to develop and implement new policies and procedures to ensure that your monitoring, testing, or auditing programs align with the new rules established by Virginia’s comprehensive data privacy law.

Business obligations under the VCDPA need to:

• Be transparent: You must be transparent with consumers in how you handle their personal data and explain how you conduct business with third-party vendors whenever it involves personal client data.
• Limit data collection: Limit information and data collection to what is adequate, relevant, and reasonably necessary to run your business. The VCDPA extends to both online and offline data collection practices.
• Limit purpose: Process personal information and data only for purposes that are compatible with the purposes disclosed to the consumer.
• Maintain security protocols: Establish, implement, and maintain security measures that are reasonably required to protect consumers’ personal data. New assessment measures may be required.
• Avoid discrimination: Your business cannot process personal data in a way that violates state or federal anti-discrimination laws. In addition, businesses are generally prohibited from discriminating against a consumer for exercising their rights under the VCDPA.
• Obtain consent: Your business is required to obtain consent for the processing of personal data. Express consent is particularly important when processing sensitive data, handling children’s data or deviating from a consumer’s previously disclosed purposes.

How Will the VCDPA Be Enforced?

The VCDPA’s enforcement method can greatly benefit your business because it has a 30-day cure period. During this time, letters alleging noncompliance are sent to businesses and give a business time to communicate with the attorney general’s office to remedy any potential violations before fines are imposed.

Suppose the request is denied and the consumer appeals the decision. In that case, the Virginia consumer data protection act provides a detailed mechanism for the submission of appeals if the consumer’s request to invoke rights is denied. In terms of time needed to handle consumer requests, VCPDA enforcement provides for 30 days in which to respond to a consumer request.

Finally, proper enforcement requires that consumers be given the tools to reach out to the Virginia Office of the Attorney General either online or through any other available method.

Fines and Penalties

Companies found to be in violation of the VCDPA are subject to potential injunctions and civil penalties of up to $7,500 per violation, as well as attorney’s fees.

You can avoid fines by complying promptly with any viable requests made by the Office of the Attorney General. Businesses can also avoid fines by preparing for the requirements of the VCDPA ahead of time to avoid the possibility of potential penalties associated with noncompliance.

Ultimately, all fines go to a Consumer Privacy Fund to be used to support the work of the Attorney General in the enforcement of the provisions of the VCPDA.

Summary

The best approach for your business will be one that incorporates the requirements of the VCPDA privacy laws while remaining adaptive to new additions to data privacy compliance requirements in the future.

The VCDPA does not take effect until January 1, 2023. Businesses can utilize this time to examine the new law’s requirements and incorporate rules and regulations as required. If your business fails to abide by the new law’s requirements, the penalties can be costly.

Until a federal consumer data privacy law is adopted, California and Virginia represent the emerging trend of state oversight and regulation regarding how to process consumers’ personal data.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author