Virginia’s Consumer Data Protection Act (VCDPA)

Virginia Consumer Data Protection Act, or VCDPA, is a state statute enacted to protect the rights of consumers residing in Virginia. This is the second state-wide law passed in the US after California Consumer Privacy Act.

Effective from: January 1, 2023

Official text: Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA) is a law that protects the privacy of consumers by limiting how companies can use or disclose their personal information. It applies to any business that has customers in Virginia or that collects, uses, stores, or sells the personal information of individuals who reside in Virginia.

The VCDPA was signed into law by Gov. Ralph Northam on March 2, 2021. It will be enforced by the Attorney General.

The Virginia Consumer Data Protection Act applies to an entity (controller/processor) that conducts business in Virginia or produces products or services targeted to residents of the state, who controls or processes:

• personal data of at least 100,000 consumers or
• personal data of at least 25,000 consumers and earns over 50% of gross revenue from the sale of personal data.

Exemptions to this are:

• the Commonwealth or its political subdivisions;
• financial institutions subject to Gramm-Leach-Bliley Act;
• covered entities or business associates governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services;
• nonprofit organizations; or
• institutions of higher education.

Personal data, as defined by the VCDPA, refers to any information that can identify a specific individual. This can include names, photos, addresses, and phone numbers. It also includes data that can be used to locate or contact that person.

However, personal data does not include anonymized data or publicly available information. Anonymized data is information that has been scrubbed of all identifying characteristics so that it no longer identifies an individual. Publicly available information is something that anyone can access via public records or other methods of publication.

​​Under the VCDPA, sensitive personal data is defined as any of the following:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• the processing of genetic or biometrics to uniquely identify a natural person;
• the personal data collected from a known child; or
• precise geolocation data.

Here are the responsibilities and other requirements expected of controllers and processors of data:

Purpose limitation

Personal data should only be collected to an adequate level, relevant to the purpose for which it is being processed. Personal data should not be collected if it is not both necessary and compatible with the disclosed purpose unless the consumer has given consent.

Best security practices

Implement appropriate administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such practices should be appropriate to the volume and nature of data being handled by the controller.

Non-discrimination

Controllers must process data to the extent permitted by state and federal laws that prohibit unlawful discrimination against consumers. We don’t discriminate against consumers for exercising any of the consumer rights in state law, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.

Consent

A controller must acquire a consumer’s consent before it can process sensitive data about the consumer or before it can process data about a child, according to Children’s Online Privacy Protection Act.

Privacy notice

Controllers must provide consumers with a clear and meaningful privacy notice that includes: 

• the categories of personal data the controller processes, 
• why the controller processes personal data, 
• how consumers may exercise their consumer rights under the Act, which includes how a consumer may appeal a controller’s response to the consumer’s request for access, 
• what categories of third parties the controller shares personal data with, what categories of personal data it shares with third parties, and
• means for consumers to exercise their consumer rights, including the right to opt-out of processing by third parties.

Impact assessment

As a controller, you are required to conduct an assessment of any processing activities involving personal data that present a reasonably foreseen risk of unfair or deceptive treatment of or unlawful disparate impact on consumers. This includes any processing activities involving sensitive data.

Data protection assessments must weigh benefits to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of consumers associated with the processing of personal data. The use of de-identified data and consumers’ expectations, as well as the context of the processing and relationship between the controller and consumer whose personal data is processed, should be considered.

Here are the rights granted by the Act to Virginia consumers:

• Right to know and access: Consumers have a right to know whether their data is being processed, and to access their own data.
• Right to correct: Consumers have a right to request that the data an organization holds about them be corrected if it is inaccurate.
• Right to delete: Consumers have a right to request that their personal data be deleted.
• Right to port: Consumers have a right to get a copy of their personal data in a portable and easily transferable format so that they can transfer it to other controllers without any hindrance. This right is particularly relevant when the processing is done by automated means.
• Right to opt-out: Consumers have a right to opt out of the processing of their personal data for purposes such as:
  • targeted advertising: it is the practice of showing specific ads on nonaffiliated websites and online applications based on the consumer’s activities across time and various sites;
  • the sale of personal data: it is the exchange of personal data between a controller and a third party for money; and
  • profiling used in decision-making: it means any form of automated processing that analyzes, evaluates or predicts a natural person’s personal aspects by using personal data.

A controller should respond to a consumer’s request within 45 days of receipt of the request unless an extension is granted. The controller must inform the consumer if an extension will be requested and for what reason it is being requested, as well as instructions on how to file an appeal if the request is declined.

If a consumer requests information, it should be provided free of charge up to twice a year. If the request is unreasonable or repetitive, then the controller can charge administrative costs. The controller has the burden of demonstrating that the request is unreasonable or repetitive.

Controllers shall establish one or more secure and reliable means for consumers to submit requests to exercise their consumer rights. This means must take into account how consumers normally interact with the controller while providing a secure way to communicate such requests. Controllers are not allowed to require a consumer to create a new account for submitting the requests.

• Define your purpose for data collection and processing. 
• Obtain consent from consumers to collect their sensitive personal data. 
• Allow users to opt out of data collection at any time.
• Allow users to exercise their rights to access, correct or delete their data, as well as to transfer their data.  Implement a clear and simple process for doing so.
• Add or update privacy notices to disclose your data collection and processing practices.
• Implement best security practices to protect personal data.
• Conduct data protection impact assessment for high-risk data processing activities 

The Attorney General must give controllers 30 days’ notice of any violations they believe are occurring. If the controller fixes those problems within that time, then it won’t be sued for statutory damages. If they continue to violate the law, the Attorney General can sue for up to $7,500 per violation.

Who is subject to the VCDPA?

Entities that conduct business in Virginia or provide products or services to Virginia residents by collecting their personal data are subject to VCDPA. They should meet the following thresholds:

• collect and process personal data of at least 100,000 consumers or
• collect and process personal data of at least 25,000 consumers and earns over 50% of gross revenue from the sale of personal data.

When was VCDPA passed?

The VCDPA was signed into law by Gov. Ralph Northam on March 2, 2021. This makes Virginia the second US state to pass a comprehensive data protection law after California’s CCPA.