What is the Virginia Consumer Data Protection Act?
The Virginia Consumer Data Protection Act (VCDPA) of 2021 is a comprehensive state privacy law that is geared toward protecting the sensitive information and privacy of Virginia residents and consumers. The VCDPA uses the concept of “controller” to define the businesses that determine the purpose of and particular means of processing data and the concept of “processor” to describe the entities that process said data on the behalf of “controllers”. What’s more, the VCDPA defines personal data more broadly to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person”. Additionally, the VCDPA gives consumers the right to know, access, delete, amend, correct, or opt out of the sale and processing of their personal information for targeted advertising purposes.
The VCDPA draws on both language and substance from the California Consumer Privacy Act (CCPA) and the newly enacted California Privacy Rights and Enforcement Act. However, the VCDPA differs from these acts in certain respects. For instance, the VCDPA grants Virginia consumers the right to know, access, delete, and opt out of the sale or processing of any personal information pertaining to them, much like the CCPA. Alternatively, the VCDPA contains language and structure more similar to that of the GDPR than the CCPA such as adopting data protection assessment requirements, as well as certain terminology such as “processor” and “controller”. Moreover, the VCDPA differs from the CCPA by leaving the enforcement of the act entirely to the discretion of the Attorney General, as opposed to establishing a separate bureaucratic body to oversee privacy violations.
What are businesses’ obligations to consumers under the VCDPA?
Much like the CCPA, the VCDPA mandates that businesses operating within the state of Virginia limit their collection and use of personal data to uses that are both reasonably necessary and applicable to the purposes that were disclosed to consumers when their information was collected. For instance, a debt collection agency should only collect and use your information in the context of settling your debt. Additionally, the VCDPA “controllers” and processors” of personal data must first obtain consent from consumers before processing this data for any other purpose. What’s more, the VCDPA requires that businesses “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data”.
In keeping with the VCDPA’s similarities to the European GDPR, the VCDPA also requires that businesses conduct some form of “data protection assessment”, with the goal of identifying and evaluating transactions that may come with a high risk to consumers. “Controllers” and “processors” must also be governed by some sort of formal agreement. This agreement must include certain retention and confidentiality provisions and must “clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties”. Failure to comply with the VCDPA can result in a fine as high as $7,500 per offense or violation, as well as any other auxiliary expenses accrued during the investigation, such as attorney fees.
Who must comply with the VCDPA?
The VCDPA applies to all entities “who conduct business in the commonwealth of Virginia or produce products and services that are targeted to residents of the commonwealth” and meets the following criteria in a given fiscal year:
- Process or control personal data of at least 100,000 Virginia residents.
- Derive more than 50% of gross revenue from the sale of personal data (whether this threshold applies strictly to Virginia residents is unclear at this time) and process or control the personal data of at least 25,000 Virginia residents.
To put it into layman’s terms, the VCDPA will generally apply to business-to-business and for-profit companies that interact with or process the personally sensitive information of Virginia residents on a large scale. For example, a small family business in a sparsely populated town in rural Virginia may never cross the threshold needed to fall under the VCDPA. Contrarily, a large retail store such as H&M or target would cross this threshold in a matter of weeks if not days. Furthermore, the VCPDA borrows further language from the CCPA in that it does not specify or define the parameters for “doing business” in the state of Virginia. Nevertheless, any business that is conducting an economic activity that would trigger tax liability of personal jurisdiction in the state of Virginia would similarly be applicable under the standards set forth by the VCDPA.