Main things you need to know about the Virginia Consumer Data Protection Act (CDPA)

Written by Sabrina Palme, CEO at Palqee Technologies

Virginia has passed a new consumer privacy law, the CDPA. Read this article to learn what the regulation means for businesses.

What is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act or VCDPA is a new data privacy bill that has passed legislation and which will regulate how personal data can be processed and used by third parties in the state of Virginia in the US. With that Virginia is the second US state to pass a broad, multi-rights data privacy bill.

When does it take effect?

The new law will take effect Jan. 1, 2023.

What are the penalties for non-compliance?

Data Controllers can be fined up to $7,500 per violation. Law enforcement and fines are handled solely by the attorney general. Should the attorney general take action in case of a VCDPA violation, the office has to notify the Data Controller first and give a time window of 30-days for the controller to have a chance to cure the violation and provide the attorney general with an “express written statement that the alleged violations have been cured and no further violation shall occur”. Should the controller fail to fix the violation, he could face the fine.

Who has to comply with the regulation?

Any organisation that conducts business in Virginia or produces products for or offers services to residents of Virginia and either

• Control or process personal data of at least 100,000 consumers in a calendar year; or

• Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from sale of personal data in a calendar year

For comparison, the Californian CCPA has a similar definition, however the threshold for a business to fall within the scope is processing data of more than 50,000 consumers.

Further there are also a range of companies and institutions that are exempt:

• Governmental entities;

• Non-profit organisations;

• Financial institutions;

• Entities covered by the Health Insurance Portability and Accountability Act (HIPAA);

• Entities covered by the Gramm-Leach-Bliley Act (GLBA)

• Higher education institutions;

• B2B excluding for example also sole proprietors or large employers of Virginia residents, but where their operations does not include collection of consumer data

What categories of personal data fall into the scope?

The VCDPA has a broad definition for what is considered personal data

This does not include de-identified data or publicly available information. Further there are notable exemptions of personal data that do not fall into the scope, mainly being:

• Employee data;

• Data governed by federal regulations, like the Family Educational Privacy Protection Act, Children’s Online Privacy Protection Act and Fair Credit Reporting Act;

• (Financial) data that falls under the scope of the Gramm-Leach-Biley Act;

• (Health) data governed by the Health Insurance Portability and Accountability Act;

It is worth mentioning here one major difference to regulations such as the GDPR is that the GDPR’s scope applies to all types of data and works in conjunction with any additional regulations that govern e.g. financial and health data whereas the VCDPA does not apply to certain data sets that are already governed by other regulations. Meaning companies need to pay extra attention to the type of data they process and what regulation and rules apply to them.

What are the consumer rights under the VCDPA?

Similar to data subjects in the UK/EU and consumers in California, consumers in Virginia will enjoy certain rights with regards to their personal data under the new VCDPA. Upon consumer authentication, consumers can make use of the following rights:

• Right to know if a business processes their personal data

• Right to access a copy of what personal data is held and for what purpose

• Right to correct inaccuracies if personal data processed by a business is not accurate

• Right to request deletion of personal data

• Right to obtain a portable copy of the data for transfer through automated means

• Right to opt out of targeted advertising, sale of personal data and data profiling used for decision making that involves legal or similarly significant effects concerning the consumer

What are the main requirements for businesses that have to comply with the VCDPA?

The principles established in the VCDPA have largely been recognised as best practice in Virginia but are now considered a legal obligation under the regulation. These are:

Notice: Consumers need to be provided with a Privacy Notice incl. information about all intended purposes for use of the personal data

Data Minimisation: Data collection needs to be limited to what is considered adequate, relevant and reasonably necessary for each processing purpose

Data Security: Businesses need to maintain reasonable technical, administrative and physical data security practices

Data Protection Assessments: Businesses need to conduct Data Protection Assessments of their data collection and processing activities for certain types of data processing activities

Consent to process “sensitive data”: Affirmative consent needs to be obtained from consumers before any collection and processing activities of sensitive data. Sensitive data under the VCDPA includes:

• Racial or ethnic origin,

• Religious beliefs,

• Mental or physical health diagnosis,

• Sexual orientation,

• Citizenship or immigration status

• Genetic or biometric data for use to uniquely identifying an individual

• Personal data of a known child (under the age of 13)

• Precise geolocation data

Facilitate rights for Virginia consumers: Obligated to support consumers in executing their rights under the VCDPA as described in section “What are the consumer rights under the VCDPA?”

Additional responsibilities for Data Controller: Very similar to the GDPR, businesses acting as data controller, need to control third parties, like vendors, that process personal data on their behalf. This includes having in place and managing:

• contractual provisions that limit the purposes for which the data will be used,

• confidentiality agreements,

• allowing for due diligence on data processes,

• requiring data deletion upon request,

• and ensuring processor commits to pass on and control these obligations to subcontractors.

For businesses to consider:

In case you already comply with privacy regulations such as the GDPR, CCPA (CPRA from Jan, 01st 2023), or even LGPD you will most likely cover most of the provisions given under the VCDPA. If not, than the best first step for you will be to get started with a Gap Assessment, essentially analysing your status quo on where you stand in terms of data privacy and that will help you to understand what you need to do next.

Things to look out for is to first check whether or not your company falls under the scope of the VCDPA or whether you’re in one of the categories that are exempt from it in which case you just need to make sure you have the documentation available to prove that.

Consumer rights are quite similar to other privacy regulations but there are some regulatory differences, such as time you have to respond to a consumer making use of his/her rights under the VCDPA in comparison to other regulations; what kind of data need special consideration e.g. categories of sensitive personal data tend to be slightly different across regulations and finally whether individuals have specific rights for certain types of processing activities, such as the sale of personal data; profiling and automated decision making etc.

The Virginia regulation is yet another privacy law that makes compliance for businesses more complex on an international scale, however to enable and foster free flow of personal data for growth and innovation, these kind of regulations are crucial to help build customer trust into the data economy. Businesses that take compliance serious and take it as an opportunity are sure to benefit from it in the future as they become more resilient with more privacy laws popping up, more efficient in their management of data and more competitive in being able to build stronger customer relationships.