What is the Virginia Consumer Data Protection Act?

May 11, 2021 | 4 minutes read
What is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act (VCDPA) of 2021 is a comprehensive state privacy law that is geared toward protecting the sensitive information and privacy of Virginia residents and consumers. The VCDPA uses the concept of “controller” to define the businesses that determine the purpose of and particular means of processing data and the concept of “processor” to describe the entities that process said data on the behalf of “controllers”. What’s more, the VCDPA defines personal data more broadly to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person”. Additionally, the VCDPA gives consumers the right to know, access, delete, amend, correct, or opt out of the sale and processing of their personal information for targeted advertising purposes.

The VCDPA draws on both language and substance from the California Consumer Privacy Act (CCPA) and the newly enacted California Privacy Rights and Enforcement Act. However, the VCDPA differs from these acts in certain respects. For instance, the VCDPA grants Virginia consumers the right to know, access, delete, and opt out of the sale or processing of any personal information pertaining to them, much like the CCPA. Alternatively, the VCDPA contains language and structure more similar to that of the GDPR than the CCPA such as adopting data protection assessment requirements, as well as certain terminology such as “processor” and “controller”. Moreover, the VCDPA differs from the CCPA by leaving the enforcement of the act entirely to the discretion of the Attorney General, as opposed to establishing a separate bureaucratic body to oversee privacy violations.

What are businesses’ obligations to consumers under the VCDPA?

Much like the CCPA, the VCDPA mandates that businesses operating within the state of Virginia limit their collection and use of personal data to uses that are both reasonably necessary and applicable to the purposes that were disclosed to consumers when their information was collected. For instance, a debt collection agency should only collect and use your information in the context of settling your debt. Additionally, the VCDPA “controllers” and processors” of personal data must first obtain consent from consumers before processing this data for any other purpose. What’s more, the VCDPA requires that businesses “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data”.

In keeping with the VCDPA’s similarities to the European GDPR, the VCDPA also requires that businesses conduct some form of “data protection assessment”, with the goal of identifying and evaluating transactions that may come with a high risk to consumers. “Controllers” and “processors” must also be governed by some sort of formal agreement. This agreement must include certain retention and confidentiality provisions and must “clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties”. Failure to comply with the VCDPA can result in a fine as high as $7,500 per offense or violation, as well as any other auxiliary expenses accrued during the investigation, such as attorney fees.

Who must comply with the VCDPA?

The VCDPA applies to all entities “who conduct business in the commonwealth of Virginia or produce products and services that are targeted to residents of the commonwealth” and meets the following criteria in a given fiscal year:

To put it into layman’s terms, the VCDPA will generally apply to business-to-business and for-profit companies that interact with or process the personally sensitive information of Virginia residents on a large scale. For example, a small family business in a sparsely populated town in rural Virginia may never cross the threshold needed to fall under the VCDPA. Contrarily, a large retail store such as H&M or target would cross this threshold in a matter of weeks if not days. Furthermore, the VCPDA borrows further language from the CCPA in that it does not specify or define the parameters for “doing business” in the state of Virginia. Nevertheless, any business that is conducting an economic activity that would trigger tax liability of personal jurisdiction in the state of Virginia would similarly be applicable under the standards set forth by the VCDPA.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »
Arizona’s Proposed New Law on Public Records Requests
March 13, 2023 | 7 minutes read
Arizona’s Proposed New Law on Public Records Requests

A Bit of History The date February 14th might stand out to most of us, and if you haven’t figured out why, it’s because it is the anniversary of Arizona’s Statehood. Over 100 years ago, Arizona became the 48th state to be admitted into the United States. Since governance is as old as human history, […]

Learn More »