Virginia Enacts Consumer Data Protection Act

As expected, Virginia became the second U.S. state to enact a sweeping data privacy law. The Virginia Consumer Data Protection Act (VCDPA) borrows heavily from California’s data privacy laws (CCPA and CPRA) and the EU’s GDPR, but also contains unique provisions. The law becomes effective on January 1, 2023 – the same day the CPRA takes effect in California.

Scope

Like California’s laws, the VCDPA applies to data controllers that meet certain thresholds (collect personal data of at least 100,000 Virginia consumers or collect personal data of at least 25,000 Virginia consumers and derive over 50% of gross revenue from the sale of personal data). It defines personal data similarly to California’s definition of personal information; however, it contains a broader exclusion for data available from government records (no need to use the data for the specific purpose the government makes it available). The law does not cover personal data collected in a commercial or employment context.

Exemptions

In addition to scope limitations, the VCDPA exempts financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA), covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA), nonprofits, and institutions of higher education. The GLBA exemption is broader than its California counterpart because it wholly exempts financial institutions, whereas the CCPA/CPRA only exempt data subject to GLBA. The VCDPA provides additional data-based exemptions, including data governed by federal laws such as the Fair Credit Reporting Act, Driver’s Privacy Protection Act, and the Federal Education Rights and Privacy Act.

Consumer rights

The VCDPA provides consumer rights that largely align with the CCPA (access, deletion, opt-out of sales) and the CPRA (correction, opt-out of profiling, and targeted advertising). Sharing with corporate affiliates is not considered a sale. The law also grants a right to transfer data, meaning the business must supply a portable copy of the consumer’s personal data so they can transfer it to another provider. Virginia’s fulfillment rules and timelines mirror California’s except the state uses a single “commercially reasonable” identity verification standard and requires businesses to provide a right to appeal denials. The law contains several consumer rights exemptions, many of which mirror California’s deletion exemptions.

Controller responsibilities and prohibitions

The VCDPA includes provisions related to: (1) data collection and use limitations; (2) data security requirements; (3) anti-discrimination; (4) sensitive personal data; (5) privacy policies; (6) heightened disclosure standards related to data sales and targeted advertising; and (7) data protection assessments. Some of these rules track California law while others, such as an informed consent standard to process sensitive personal data, follow the GDPR model. Disclosures made via privacy policy are unlikely to meet the heightened disclosure standard; therefore, the VCDPA provides additional incentive for businesses to provide robust tracking (and now sales) disclosures through pop-up notices or similarly conspicuous means.

Processors

The VCDPA requires processors (akin to service providers under California law) to help controllers respond to rights requests, meet data security standards, and perform data protection assessments. Controller-processor contracts must include specific provisions, including language that goes further than CCPA/CPRA. Businesses should consider VCDPA (and CPRA) requirements when executing new vendor contracts and devise a strategy to efficiently update existing contracts.

Enforcement

Importantly, the VCDPA does not include a private right of action. It even contains a provision stating that it shall not serve as the basis for a private right of action under another law (i.e., no “bootstrapping”). This mirrors the CCPA/CPRA, although California plaintiffs are attempting to invent workarounds. The Attorney General will enforce the law and must provide a 30-day right to cure. Noncompliance after the cure period may result in civil penalties of up to $7,500 per violation plus expenses and attorneys’ fees.

Much like the CPRA, the VCDPA will require most businesses to adjust their data privacy practices. Certain substantive requirements may create challenges; however, businesses can leverage existing CCPA or GDPR-driven frameworks to expedite compliance. Moreover, the significant overlap and common effective date of the CPRA and VCDPA provide an opportunity to achieve compliance efficiencies. To account for the CPRA’s 12-month “lookback” period, businesses should update their privacy statements and other consumer disclosures, as applicable, prior to January 1, 2022.