On January 1, 2023, the Virginia Consumer Data Protection Act (VCDPA) took full effect in the Commonwealth. The primary goal of the act is to bring additional protection to the citizens of Virginia as the world of technology is continuously evolving. As the demand for online activity increases, so does the need to expand existing data protection and privacy laws. Without modifying current regulations, problems and challenges for both businesses and citizens in the Commonwealth will continue to arise. This comprehensive article summarizes some of the key components of the VCDPA as it’s currently constructed.
What is the VCDPA?
The primary purpose of the VCDPA is to expand consumer privacy rights.
To better comprehend how this may apply to you, it’s important to first understand how the term “personal information” is defined throughout, who may be affected by the VCDPA regulations, and what requirements must be met for those businesses and organizations that manage and control data.[1]
What Does “Personal Information” Mean Under the VCDPA?
Personal information is expansively defined under the VCDPA as “any information that is linked or reasonably linked to an identified or identifiable natural person”. To be more specific, the act further defines some personal data as “sensitive data”, which cannot be processed without the consent of the consumer, and includes the following information:
- data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- any personal data collected from a known child; or
- precise geolocation data.
Who is Affected by the New VCDPA Regulations?
The VCDPA can affect you personally, whether you analyze the regulation from a consumer mindset or adjust the privacy standards for your business or organization.
Virginia Businesses
The VCDPA applies to businesses and companies in the Commonwealth that produce products or services for residents of the Commonwealth and that:
- during a calendar year, control or process personal data of at least 100,000 consumers; or
- control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
There are a few circumstances in which one may be exempt from the requirements of the VCDPA. Those include organizations subject to HIPAA, not-for-profit organizations, higher education institutions, financial institutions, and any data received that is subject to the Gramm-Leach-Bliley Act.
Virginia Citizens
A handful of protection rights are afforded to those in the Commonwealth due to the VCDPA regulations, including:
- the right to confirm whether a controller is processing their personal data;
- the right to access any personal data given to a controller;
- the right to correct any inaccuracies in the personal data given;
- the right to delete any personal data provided by them or obtained about them;
- the right to obtain a copy of their personal data that was previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
- the right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
How Can Businesses Meet VCDPA Privacy Policy Requirements?
Businesses that fall under the jurisdiction of the VCDPA will be required to “conduct and document a data protection assessment” if they process any sensitive data, sell personal data, or process personal data for targeted advertising or profiling purposes.[2]
If your business falls into a category subject to jurisdiction or you aren’t clear on whether you will be impacted, contact our attorneys to ensure you follow all regulations.
What VCDPA Amendments Have Been Made?
There are three amendments enacted that may affect your business that pertain to the ability of the consumer to delete personal data, redefining what a nonprofit organization is, and modifying the process of penalties and fees.[3]
According to the new HB 381 regulation, a controller that has obtained personal data about a consumer from a separate source shall be deemed in compliance with a consumer’s request to delete the data by either:
- retaining a record of the deletion request and the data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose; or
- opting the consumer out of the processing of personal data for any purpose except for those exempted pursuant to all the rights provided here.[4]
The original definition of a nonprofit organization has been altered to include a political organization. With that inclusion, political organizations are exempt from complying with the VCDPA. Below is the revised definition of a political organization:
“a party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.”
Finally, two identical bills were signed by the Governor regarding the funding structure of the VCDPA. Bills SB 534 and HB 714 specify now that all “civil penalties, expenses, and the attorney fees collected pursuant to [the VCDPA] shall be paid to the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation and Enforcement Revolving Trust Fund”.[5][6]
FAQs on the Virginia Consumer Data Protection Act
Below are some frequently asked questions that may provide the information you’re looking for. Please reach out if you have any additional follow-up questions that we can help with.
- When Did the VCDPA Go into Effect?
- The VCDPA went into effect on January 1, 2023.
- What Do I Do If I’m Unsure Whether the VCDPA Applies to Me?
- Contact us right away and we can further explain the regulation and whether you or your business are affected and in compliance.
- How is the VCDPA Enforced? What Are the Penalties?
- While there is no private right of action allowed, the Virginia Attorney General’s office imposes any punishments for violations of the VCDPA. A controller must be provided thirty (30) days from the date of notice to cure the violation. Failure to cure could result in fines up to $7,500 each.
Since 1973, ThompsonMcMullan has expanded to provide comprehensive legal services across 36 different practice areas. This includes our distinct experience and expertise in cybersecurity and the Virginia Privacy Act. Our dedicated attorneys are more than happy to answer any of your questions, so contact us today.
References:
