Take a close-up look into the Virginia's Consumer Data Protection Act (VCDPA).
Virginia's Consumer Data Protection Act (VCDPA), which went into effect January 1, 2023, grants Virginia consumers rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected and with whom it's shared.
The law aims to establish a framework that protects the rights and interests of Virginia residents and lays out comprehensive guidelines for businesses that process personal information of Virginia residents. It imposes various obligations on these entities to safeguard consumer privacy and ensure responsible data handling practices. By setting clear standards and requirements, the VCDPA seeks to create a more transparent and accountable environment for businesses and consumers alike.
It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also do one of the following:
Businesses that meet the above criteria must:
You’ll notice that consumers must opt in first before businesses can collect their sensitive data. Under the VCDPA, sensitive data includes personal data that reveals religious beliefs, racial or ethnic origin, mental or physical health, citizenship or immigration status, or sexual orientation. Additionally, processing genetic or biometric data specifically to uniquely identify an individual is considered sensitive data, as well as the personal data from a known child or specific geolocation data.
The Virginia Consumer Data Protection Act grants Virginia residents the right to control what happens with data collected about them. Specifically, the law allows consumers:
When a controller receives a subject rights request, they must respond within 45 days but can request a 45-day extension if the request is of a particularly high volume or complexity.
Controllers can also decline requests, but they must include a valid justification for declining the request—for example, if the request was vexatious in nature.
Under the Virginia Consumer Data Protection Act, service providers are considered "processors." A processor would refer to any entity performing a task for the data "controller"—the company collecting the data and deciding how to use it.
Under the VCDPA, controllers and processors have to contractually agree that the processor will delete or return all personal data at the controller's request, and processors can't use additional service providers unless they've contractually agreed to meet the VCDPA's requirements.
Some of the law's critics have said the bill should be more restrictive in its provisions on targeted advertising. Consumers have the right to opt out of their data being used for targeted advertising. The law defines targeted advertising as the use of Virginians' personal data to deliver advertisements based on data from third-party websites or apps in order to predict preferences or interests.
But the law does not apply to:
The Virginia Attorney General will enforce the law. While it does not contain a private right of action as a consumer redress tool, it does allow the attorney general to seek civil penalties of up to $7,500 per violation.
Below is a chart comparing some of Virginia's law with both the California Consumer Privacy Act (CCPA), which became effective in 2018, and the law that will replace it on Jan. 1, 2023, the Consumer Privacy Rights Act (CPRA).
CCPA
|
CPRA
|
VCDPA
|
|
---|---|---|---|
Enforcement
|
California Attorney General’s Office
|
California Privacy Protection Agency
|
Virginia Attorney General's Office
|
Profiling
|
N/A
|
Consumers can opt-out of automated decision-making
|
Consumers can opt-out of profiling that produces "legal or significant effects," including for housing, employment and educational eligibility, for example
|
Sensitive data
|
N/A
|
Businesses must disclose how they collect, use and disclose
Consumers may opt-out of the use of their sensitive data
|
Consumers must opt-in to the collection and use of their sensitive data for processing
|
Data minimization
|
N/A
|
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose
|
Businesses must only collect and retain what is adequate, relevant and reasonably necessary to the purpose, and that must be disclosed to consumers
|
Consumer remedies
|
Consumers may file a private right of action when lack of reasonable security leads to a breach
|
CCPA, plus consumers can file a private right of action if data breached includes consumer’s email address and password or security question
|
Companies must establish a process for consumers to submit complaints
No private right of action
|
Data Protection Impact Assessments
|
N/A
|
Required, specific rules to be determined by forthcoming rulemaking
|
Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm"
|
Deletion
|
Businesses must fulfill validation consumer requests to delete their data
|
Businesses fulfilling legitimate deletion requests must also notify third parties to delete such information
|
Businesses must delete personal data provided by or obtained via the consumer
|
Opt-out links
|
Businesses must have a “Do not sell my personal information” link
|
Businesses must have a “Do not share my personal information” link and a “Limit the use of my personal information” link
|
Virginia requires users to be able to opt out of the sale of personal information, targeted advertising, and profiling.
|
Fines
|
Up to $7,500 per violation or $2,500 per unintentional violation
|
Automatic $7,500 fine for violations of minors’ data (children under the age of 16)
|
Up to $7,500 per violation
|