What is VCDPA? Understanding the Virginia Consumer Data Protection Act

The VCDPA is Virginia's data privacy law. It is the second data protection act in the United States after the California Consumer Data Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA).

Like the EU's General Data Protection Regulation (GDPR), the VCDPA gives consumers the right to opt out of having their personal data collected, processed, and sold. The legislation also:

• Requires organizations and companies to get prior consent from end-users if they process or collect sensitive personal data for sale, targeted advertising, or profiling.

• Prohibits cookie or consent banners from having pre-ticked boxes. This is because consent must be clear, affirmative, freely given, informed, specific, and unambiguous.

• Establishes extensive consumer rights.

• Data processing obligations for covered companies and individuals.

In this blog, we will take a closer look at the provisions of the Virginia Consumer Data Protection Act and its implications for businesses operating in the state

What is the Virginia Consumer Data Protection Act (VCDPA)?

The Virginia Consumer Data Protection Act, also known as SB 1392, is a landmark piece of legislation that aims to protect the personal data of Virginia residents. This act sets strict standards for companies collecting, using, and storing personal data, including sensitive information such as financial and health records.

It requires companies to be transparent about their data collection practices and gives consumers the right to control their own personal information. The Virginia Consumer Data Protection Act also establishes a new enforcement mechanism for violations and imposes significant penalties for non-compliance.

When will the VCDPA come into effect?

The Virginia Consumer Data Protection Act (VCDPA) went into effect on January 1, 2023. This regulation was signed into law by Virginia Gov. Ralph Northam (D) on March 2, 2021.

Who does the VCDPA apply to?

According to section 59.1-572 of Virginia law, the VCDPA applies to any for-profit company that conducts business in Virginia, markets their services and goods to Virginia residents, controls or processes the personal data of 100,000 or more Virginia residents, or processes the personal data of at least 25,000 Virginia residents and makes more than 50% of their gross revenue from selling personal data

Although the VCDPA does not define "conducting business in Virginia," you should assume that the VCDPA applies to your company if your company is engaged in economic activity that triggers personal jurisdiction or tax liability in Virginia.

Additionally, as you can see by the language, controllers and processors that fall under this scope are subject to the data protection act.  

A controller is a company or individual who, alone or jointly with others, determines the means and purpose of processing personal data. For example, WhatsApp is a data controller because it collects phone numbers and determines the means of processing. Similarly, a dental office that uses an automated computer system to tell patients when to go to the consulting room is a controller because it controls the purpose and means of data processing.

Meanwhile, a processor is a legal or natural entity that processes personal information on a controller's behalf. For instance, let's assume a gym is running a promotional event and hires a printing company to create invitations. The gym shares with the printing company the addresses and names of their current members from their database, and the printing company uses this information to design and print invitations. 

In this case, the gym is the controller of the personal information because it determines the purpose (to send invitations to members about the promotional event) and means (sharing a database of the personal information with the printing company) of processing the data.

What organizations are exempt from the VCDPA?

According to section 59.1-572 of the VCDPA, certain businesses are exempt from the VCDPA, including:

• Financial institutions subject to the Gramm-Leach-Bliley Act

• Virginia state agencies

• Higher education institutions

• Non-profit organizations

• Business associates or covered entities that are governed by the security, privacy, and breach notification rules established according to the Health Insurance Portability and Accountability Act (HIPAA)

   

VCDPA Regulations: What you need to know

Let's discuss how the VCDPA deals with things like processing data, genetic or biometric data, a data subject, data portability, consumer data protection, and more:

What is considered "sensitive" and "personal" data under the VCDPA?

Section 59.1-571 of the VCDPA defines "personal data" as any information that is reasonably linked or linked to an identifiable or identified person. It does not include publicly available information or de-identified information.

On the other hand, "sensitive data" refers to a subset of personal data that includes:

• The processing of biometric or genetic data for the purpose of identifying a person

• Identifiable information revealing racial origin, mental or physical health diagnosis, religious beliefs, citizenship or immigration status, or sexual orientation

• The sensitive personal data collected from a known child

• Precise geolocation data

   

What rights do consumers have under the VCDPA?

Under section 59.1-573 of the VCDPA, every consumer has certain rights over their personal datails, including the right to:

• Confirm whether a company is processing their data and to access such data.

• Correct inaccuracies in their data.

• Delete personal information obtained about or provided by the consumer.

• Obtain a copy of their personal data that they previously provided to the company in a portable and readily usable format that allows the consumer to send the data to another business.

• Opt out of the processing of personal information for the following purposes:

  • The sale of data

  • Targeted advertising

  • Profiling for decisions that provide legal or similarly significant effects for the consumer

• Receive responses to their requests from the business within 45 days of receiving the request. The response period may be extended once by 45 days when necessary as long as the business tells the consumer of the extension within the initial 45-day response period. Information provided in response to a customer request should be free up to twice annually per consumer. However, if the consumer request is unfounded, repetitive, or excessive, the business may charge the consumer a reasonable fee to cover the costs of complying with the request. They can also decline to act on the request.

• Not be discriminated against for exercising the rights above.

Any provision of an agreement or contract that purports to limit or waive consumer rights in any way will be deemed void and unenforceable.

What are the data processing obligations under the VCDPA?

According to section 59.1-574 of the VCDPA, businesses that fall under the scope of Virginia's consumer data protection act have the following obligations:

• Data minimization: The VCDPA limits the collection of personal data to what is relevant, adequate, and "reasonably necessary." Companies can ask themselves the following questions to see if they are fulfilling this obligation:

  • Does the personal information collected by the company have a rational link to the purposes for collection?

  • Has the company identified what personal information is needed to meet its disclosed processing purposes?

  • Does the company have a data destruction or retention policy to safely destroy personal information when no longer needed?

• Security controls: This requires businesses to create, implement, and maintain reasonable data security practices from a technical, administrative, and physical lens.

• Non-discrimination: Businesses may not process personal data in a way that violates federal or state anti-discrimination laws.  

• Purpose limitation: Businesses can only process personal data for purposes reasonably necessary or compatible with purposes revealed to the consumer. For example, businesses can only process personal data according to their website's privacy notice.

• Consent: Companies must obtain express consent from consumers when they process sensitive data or deviate from the purposes of data processing that were disclosed to the consumer. Accordingly, a company must obtain express consent from consumers before deviating from its privacy policy. If a company wants to process the sensitive data of a known child, it must process such data in accordance with the Children's Online Privacy Protection Act.

   

Responsibilities of processors

According to section 59.1-575 of the VCDPA, a processor must follow a controller's instructions. It should also help the controller meet its obligations in the following ways:

• Consider the nature of processing and the information available to the processor to fulfill the controller's duty to respond to consumer rights as detailed in section 59.1-573.

• Consider the nature of processing and the information available to the processor by helping the controller meet its obligations in relation to the security of processing the personal data.

• Provide the necessary information to help the controller conduct and document data protection assessments.

Additionally, a contract between a processor and a controller must govern the processor's data processing procedures performed on the controller's behalf. The contract must be binding and contain instructions for:

• Processing data

• The purpose and nature of processing

• The type of data subject to processing

• The rights and obligations of both parties

• The duration of processing

• Requirements that the processor will:

  • Ensure that each individual processing personal data keeps the data confidential.

  • Delete or return all personal data to the controller at the end of the provision of services unless retention of the data is required by law.

  • Make available to the controller all data in its possession that is required to demonstrate the processor's compliance with this section's obligations.

  • Allow reasonable assessments by the controller or the controller's designated assessor.

  • Engage any subcontractor who is subject to a written contract that requires the subcontractor to meet the processor's obligations with regard to personal data.

  • Determine whether an individual is acting as a processor or controller. A processor that continues following a controller's instructions remains a processor.

Responsibilities of controllers

Under section 59.1-576 of the VCDPA, controllers are required to conduct and document data protection assessments of the following activities:

• The processing of personal data for targeted advertising

• The sale of personal data

• The processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of:

  • Deceptive or unfair treatment or disparate impact on consumers.

  • Physical, financial, or reputational injury to consumers.

  • An offensive intrusion upon consumers' private concerns or affairs.

  • The processing of sensitive data.

  • Processing activities involving personal data that present an increased risk of harm to consumers.

When conducting data protection assessments, controllers must identify and weigh the benefits of processing to the public against the potential risks of such processing. Controllers must factor in the use of de-identified information, consumers' reasonable expectations, the context of the processing, and the relationship between the consumer and the controller when conducting assessments.

Section 59.1-573 also requires controllers that use cookies and trackers to gather and process personal data from Virginia residents to give the residents the ability to opt out of any use of that for advertising. We will cover this in more detail below.

What does the VCDPA say about website tracking & advertising?

Under section 59.1-573 of the VCDPA, controllers that use trackers and cookies to gather and process personal data from individuals in Virginia must give users the option to opt out of that personal data being used for targeted advertising. That's when websites use personally identifiable information to create tailored marketing campaigns for users.

Controllers can give users the right to opt out by using a consent management platform which automatically detect trackers and cookies and control them based on user interactions with cookie banners.

If a user consents to have their data used for advertising, the website or app will use trackers and cookies to gather and process the user's personal information. If the user opts out of having their data used for targeted advertising, the website or app will have to honor the request.

Cookie banners are notifications that are displayed on apps and websites as pop-ups or banners. They appear upon a user's visit and explicitly ask for users' consent before deploying cookies.

Here's a cookie banner by the cosmetics brand Glossier:

As you can see, Glossier users can use the "Cookie Policy" link to read Glossier's privacy policy before deciding to accept their cookies. For more cookie banner examples, check out the best cookie banner examples we've seen in 2022.

VCDPA enforcement and penalties

Under section 59.1-580, the Virginia Attorney General will have exclusive authority to enforce the VCDPA.

Before starting any action, the public official will provide a processor or controller with a 30-day written notice identifying the specific parts of the VCDPA that the processor or controller has violated. If the processor or controller fixes the problem within the 30-day period and gives the office an express written statement that the violations have been fixed and that no further violations will happen, the state will not take further action.

However, if the processor or controller continues to violate the VCDPA after the 30-day period or breaches the express written statement, the state data controller may start an action and seek:

• An injunction to restrain violations of the VCDPA

• Civil penalties of up to $7,500 for each violation under the VCDPA

The Attorney General may also recover reasonable expenses spent on investigating and preparing the case, including lawyers' fees. 

VCDPA vs. CCPA & CPRA

The VCDPA has many similarities with another powerful privacy law in the United States, the California Consumer Privacy Act. Both grant consumers rights over their personal information and require covered companies to safeguard such rights. Both laws also:

• Apply extraterritorially

• Define "personal information" or "personal data" broadly

• Require businesses to disclose the types of personal information they use, collect, and share

• Require businesses to tell consumers about their rights and how to exercise them

However, there are also important differences between these two laws, such as the following:

Differences in scope

Virginia's VCDPA applies to a broader range of companies. It also does not have a minimum revenue threshold, which means it may apply to small businesses that collect a lot of data.

To recap, Virginia's VCDPA applies to businesses that:

• Conduct business in Virginia or market their services and goods to Virginia residents; and

• Either:

  • Control or process the personal data of 100,000 or more Virginia residents; or

  • Control or process the personal data of at least 25,000 Virginia residents and make more than 50% of their gross revenue from selling personal data

Meanwhile, California's CCPA only applies to for-profit legal entities that do business in California, collect California consumers' personal information, determine the means and purposes of processing consumers' personal data, and meet one or more of the following characteristics:

• Have gross annual revenues of at least $25 million

• Annually sells, buys, or shares the personal information of at least 100,000 consumers or households

• Makes over 50% of its revenue from sharing or selling consumers' personal information

Differences in enforcement

The Attorney General of Virginia is solely responsible for enforcing the VCDPA. They can impose a civil penalty of up to $7,500 for each VCDPA violation, plus reasonable costs for investigating the case. The VCDPA does not allow for a private right of action.

In contrast, the CPRA established a dedicated privacy office, the California Privacy Protection Agency (CPPA), to enforce the CPRA. However, the California Attorney General also retains the authority to issue fines under the CPRA as it provides a private right of action.

The CPRA can impose the following administrative fines:

• Up to $2,500 per unintentional violation, or

• Up to $7,500 per intentional violation or for any violation involving the personal data of children under 16

VCDPA vs. GDPR

Another law that the VCDPA shares many similarities with is the EU's GDPR. Both data privacy laws:

• Apply extraterritorially

• Require businesses to obtain explicit and affirmative consent from website users when processing sensitive data

• Use the same words to describe consent, including "freely given," "informed," "specific," and "unambiguous"

• Require controllers and processors to have a written contract in place and follow certain rules

• Have similar principles, including requiring controllers to limit the collection of personal data to what is relevant, adequate, and reasonably necessary

However, there are also many differences between the VCDPA and the GDPR, including the following.

Differences in the definition of personal information

Virginia's VCDPA excludes publicly-available information and information about people in commercial and employment contexts from the definition of personal information. 

In contrast, the GDPR does not exclude such information from the definition of personal information. Under the GDPR, any information relating to an identifiable or identified natural person falls under the definition of personal information.

Differences in scope

Virginia's VCDPA applies to a narrower range of businesses. As covered above, the VCDPA only applies to companies that:

• Conduct business in Virginia or market their services and goods to local residents; and

• Either:

  • Control or process the personal data of 100,000 or more local residents; or

  • Control or process the personal data of at least 25,000 local residents and make more than 50% of their gross revenue from selling personal data

In contrast, the GDPR has a much broader scope than the VCDPA. It applies to any company or entity that processes the personal data of individuals in the EU, even if the company or entity only processes several EU-based individuals' personal data.

Note, however, that the GDPR does not apply to data processing:

• For purposes of law enforcement

• For purposes of national security

• By a natural person for a purely household or personal activity

Differences in consumers' ability to opt out of companies sharing their personal data

As previously mentioned, the VCDPA requires users to have the ability to opt out of the following before controllers process their personal data to do any of the following things:

1. The sale of personal data

2. Targeted advertising

3. Profiling for decisions that provide legal or similarly significant effects for the consumer

However, the VCDPA does not explicitly require companies to let users opt out after they've already opted in. 

Similarly, the GDPR requires all organizations to obtain opt-ins from EU users before processing their personal data. They must also provide users a way to withdraw consent after they've already given it. Additionally, businesses must obtain user consent for every channel through which they intend to collect and process data.

Differences in enforcement

The VCDPA is enforced by the Virginia chief legal officer, who can impose a civil penalty of up to $7,500 for each VCDPA violation, plus reasonable costs for investigating the case. There is no private right of action under the VCDPA.

On the other hand, national or sub-national data protection authorities (DPAs) enforce the GDPR. DPAs are independent public authorities that oversee, through corrective and investigative powers, the application of the GDPR. There is one DPA in each EU Member State. 

DPAs can impose penalties of up to 20 million euros or 4% of the non-compliant company's entire global turnover of the preceding year, whichever is higher. There is a private right of action under the GDPR.

Summary & Conclusion

The VCDPA is a comprehensive data privacy law, in the mold of similar laws around the world including PIPEDA, GDPR, and more. While the VCDPA is primarily concerned with Virginia consumers, it is an accountability act that compels businesses to abide by a data processing agreement, correct inaccurate personal data when requested, severely limit data collection practices, maintain reasonable administrative and physical data security practices, all with the aim to protect consumers personal data and guard against misuse.

The VCDPA makes sure that all consumer requests are catered to promptly and that any consumer's personal data revealing racial or ethnic origin, health insurance portability details, de identified data, or any other kind of personal data processing can be anonymized and stored properly.

The Virginia Consumer Data Protection Act is a robust consumer data protection act that provides a framework for personal data processed, in the same vein as the california privacy rights act.