Virginia’s Consumer Data Privacy Act (“VCDPA” or “the Act”) is the newest state privacy law in the U.S. This blog will examine who is subject to the Act and key requirements to consider.
Who Must Comply?
The Act applies to businesses that operate in Virginia or provide products and services targeted to Virginians while doing either of the following:
- Controlling or processing data of more than 100,000 consumers in a calendar year
- Controlling or processing data of more than 25,000 consumers, with more than half of the business’ income generated from the sale of personal data
Notably, the definition of “consumer” applies only in the individual or household context, not in the commercial or employment context.
The VCDPA also exempts companies that fall within any of these categories:
- Virginia governmental agencies
- Financial institutions
- HIPAA-covered entities or business associates
- Institutions of higher education
This exemption for entire companies is significant, and it is an open question of how broadly the financial institution and HIPAA exemptions will apply to businesses that function across multiple sectors.
In addition, exemptions for specific data include several types of health care data (in any context), employment data, emergency contact data, and beneficiary data as well as data subject to FCRA, Driver’s Privacy Protection Act, FERPA, or the Farm Credit Act.
Key VCDPA Requirements
Below is a summary of the significant elements of the VCDPA:
- Sensitive Data: The VCDPA defines sensitive personal data (see GDPR Article 9) and requires businesses to obtain opt-in consent for processing sensitive data. Businesses must also complete a data protection assessment (see below).
- Data Protection Assessment: For certain defined categories of processing, including processing sensitive data, targeted advertising, and profiling, a data protection assessment is required. The assessment weighs the potential benefits to consumers against the potential harms. Note that assessments are not required for processing activities in effect before January 1, 2023.
- Processors: VCDPA imposes duties on data processors to adhere to the controller’s instructions and assist the controller in meeting its obligations under the Act. Processors are also obligated to make all supporting documentation available upon reasonable request from the controller.
- Data Subject Rights and Opt-out: Data subject rights mirror other privacy regulations. The VCDPA expands opt-out rights to include the right to opt out of targeted advertising, profiling, and sales of personal data.
- Privacy Notice: Besides the standard elements required within a privacy notice, VCDPA emphasizes that data sales or targeted advertising should be clearly and conspicuously disclosed, as well as the consumer’s right to opt out of such processing.
- No Private Right of Action: The Virginia Attorney General will have sole enforcement responsibility for the Act.
VCDPA requirements build on established privacy concepts from GDPR, with minor changes. Companies should expect these concepts to continue to appear in future state privacy laws. Reviewing and addressing these items now will enhance your company’s privacy posture and help you address new laws without operational disruption.
Want to know more about VCDPA, GDPR, or privacy in general? Contact us here.