Virginia Consumer Data Protection Act (VCDPA)

What types of consumer data does the VCDPA protect?

Personal data

The VCDPA defines personal data as any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.

Sensitive data

The VCDPA defines sensitive data as a category of personal data that includes:

1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
3. The personal data collected from a known child; or
4. Precise geolocation data.

Is sensitive data treated differently from personal data?

Yes. The VCDPA prohibits the processing of sensitive data without obtaining consumer consent (Va. Code § 59.1-578). The processing of sensitive data also triggers the obligation to conduct and document a data protection assessment (Va. Code § 59.1-580).

What constitutes ‘consent’?

Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

What types of data are exempt from the VCDPA?

The VCDPA exempts certain information covered by federal laws and regulations, such as:

• HIPAA.
• Common Rule.
• Fair Credit Reporting Act.
• Driver’s Privacy Protection Act.
• Family Educational Rights and Privacy Act.

The VCDPA also exempts certain information processed or maintained in the employment context (Va. Code § 59.1-576.C).

Who does the VCDPA apply to?

The VCDPA imposes obligations on persons that either conduct business in the commonwealth or produce products or services that are targeted to residents of the commonwealth and that:

• control or process personal data of at least 100,000 consumers during a calendar year; or
• control or process personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.

Who is exempt from the law?

The VCDPA exempts the following entities:

• any body, authority, board, bureau, commission, district, or agency of the commonwealth or of any political subdivision of the commonwealth;
• any financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act;
• any covered entity or business associate governed by HIPAA’s privacy, security, and breach notification rules;
• any nonprofit organization; and
• any institution of higher education.

Compliance for data controllers

Who is a ‘controller’?

A controller is the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.

What are the main obligations and requirements of a controller?

Under the VCDPA, controllers are obligated to:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
• Establish one or more secure and reliable means for consumers to submit a request to exercise their consumer rights.
• Disclose any sale of personal data to third parties or any processing of personal data for targeted advertising and provide a means for consumers to exercise their right to opt out of such processing.
• Provide consumers with a reasonably accessible, clear, and meaningful privacy notice.

Are there special obligations related to de-identified personal data?

Yes. A controller in possession of de-identified data must:

1. Take reasonable measures to ensure that the data cannot be associated with a natural person;
2. Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
3. Contractually obligate any recipients of the de-identified data to comply with all provisions of the VCDPA.

Complying with consumer rights requests

To facilitate the exercise of consumer rights, the VCDPA requires a controller to:

• establish a process for consumers to submit authenticated requests to exercise their consumer rights;
• comply with consumer requests to exercise their rights;
• respond to consumer requests within 45 days of receipt;
• respond free of charge, up to twice annually per consumer;
• consider appeal of the decision;
• establish a process for a consumer to appeal the refusal to take action.

When can a controller refuse to comply with an authenticated consumer rights request?

A controller (or processor) need not comply with an authenticated consumer rights request if all the following are true:

1. The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
2. The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
3. The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted.

When must a controller perform a data protection assessment?

A controller must conduct and document a data protection assessment in each of the following circumstances:

1. when processing personal data for purposes of targeted advertising;
2. when selling personal data;
3. when processing personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;
4. when processing sensitive data; and
5. for any processing of personal data that presents a heightened risk of harm to consumers.

What must be included in a data protection assessment?

A data protection assessment must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.

Are data protection assessments for internal use only?

No. The Virginia attorney general may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general. The attorney general may evaluate the data protection assessment for compliance with the responsibilities set forth in Va. Code § 59.1-578.

What is a controller prohibited from doing?

The VCDPA prohibits a controller from:

• Processing personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes, unless the controller obtains the consumer’s consent;
• Processing sensitive data concerning a consumer without obtaining the consumer’s consent;
• Discriminating against a consumer for exercising any consumer right;
• Attempting to waive or limit consumer rights in any way.

Compliance for data processors

Who is a ‘processor’?

A processor is a natural or legal entity that processes personal data on behalf of a controller.

What are the main obligations and requirements of a processor?

A processor must adhere to the instructions of a controller and must assist the controller in meeting its obligations under the VCDPA.

Data processing contracts

A contract between a controller and a processor governs the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

What specific terms must be included in a processor’s contract?

The contract must require the processor to:

1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
2. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in the VCDPA.
4. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor.
5. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

Who enforces the VCDPA?

The Virginia attorney general has exclusive authority to enforce the VCDPA (Va. Code § 59.1-584).

Is there an opportunity to cure?

Yes. Prior to initiating an action, the attorney general must provide a controller or processor 30 days’ written notice identifying the specific provisions alleged to have been, or that are being, violated. If within the 30-day period the controller or processor cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further violations shall occur, no action shall be initiated against the controller or processor.

What are the consequences for non-compliance?

If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the attorney general, the attorney general may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation.

How is the VCDPA different from the CCPA?

At just eight pages, the VCDPA is significantly more succinct than the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Analysis by Bloomberg Law suggests that the law’s brevity and clarity may result in the VCDPA becoming a model for future privacy legislation.

The VCDPA clearly defines whose personal data is covered, describing consumers as Virginia residents “acting only in an individual or household context.” It further clarifies that consumers are not those acting in a “commercial or employment context.” Unlike California, where the now-expired B2B and employee exclusions have been the subject of several statutory amendments, Virginia has chosen not to leave those potential compliance hurdles up in the air.

Additionally, businesses must satisfy one of the thresholds to fall within the statute’s scope, and unlike California, the VCDPA makes no mention of a threshold based solely on annual gross revenue. Entities are not left to question whether the processing of data from a dozen or so consumers will subject them to the law.

Virginia’s law has no significant recordkeeping requirements, aside from documenting data protection assessments. If a business already has in place a GDPR- or CCPA-compliant process for receiving and responding to data subject or consumer access requests, that process should be sufficient to handle requests from Virginia residents.