Countdown to Virginia Consumer Data Protection Act

Virginia will be only the second state in the country to have a comprehensive data privacy law in effect.

On January 1, 2023, the Virginia Consumer Data Protection Act (VCDPA) takes effect. VCDPA provides Virginia consumers with new data privacy rights and protections, and does this by imposing various new requirements on certain businesses that operate in Virginia. This is not Virginia’s first data privacy law, but it is by far the most comprehensive. Previous laws affected only certain types of business, or regulated only a small aspect of data privacy. There have been three significant amendments to the VCDPA since Governor Ralph Northam originally signed it into law on March 2, 2021. Here’s what you can expect from the new law in its final form.

Who does it apply to?

The VCDPA applies to any business that operates in Virginia or targets Virginia consumers, and controls or processes the personal data of 100,000 Virginians (or only 25,000 if the business makes more than 50% of its revenue from the sale of personal data). The VCDPA defines “personal data” very broadly, as any data that may reasonably be linked to a natural person. It also defines “control” and “process” very broadly, including the mere storage of personal data.

Who does it not apply to?

The VCDPA specifically excludes:

  • Virginia governmental bodies
  • Financial institutions that are subject to the Graham-Leach-Bliley Act
  • Health care entities that are subject to HIPAA or HITECH
  • Nonprofit organizations (which, following a recent amendment signed into law by Governor Youngkin, now includes political organizations)
  • Institutions of higher education

What does it do?

The VCDPA provides consumers with the rights to access and obtain copies of their personal data and correct inaccuracies in that data. It also provides them with several critical opt outs, including the ability to opt out of targeted advertising, the sale of their personal data, and customer profiling.

It also permits a consumer to request the deletion of their personal data. Following another recent amendment, however, a data controller or processor can now respond to the request to delete data by simply no longer processing the data. The intent of this amendment is to encourage compliance with VCDPA by reducing associated costs.

VCDPA also requires that data processors and controllers “[e]stablish, implement, and maintain” reasonable practices to protect the “confidentiality, integrity, and accessibility of personal data.” This requirement occupies only three lines of the Act, but is hugely important. Organizations to which VCDPA applies must now ensure they have in place a full data security program to address cybersecurity and privacy needs. And because these programs are required to be “reasonable,” they must constantly evolve to keep pace with industry standards.

How is it enforced?

VCDPA has no private right of action. Enforcement is by the Virginia Attorney General, who may bring actions to recover civil penalties of up to $7,500 per violation. The third of the three amendments that Governor Youngkin recently signed into law requires that funds recovered from enforcement actions be deposited into a fund for the enforcement of consumer regulations.

The Evolution of VCDPA

VCDPA does not empower any state agency to develop regulations. It will therefore be critical to keep an eye on the Attorney General’s enforcement actions to determine the standards by which that office measures compliance.  Even if VCDPA does not apply to your organization, VCDPA’s requirement of threshold data security practices are likely to heavily influence consumer expectations. It is therefore important to track the evolution of these standards and use them to inform your organization’s own practices.

If you have any questions about the VCDPA, Sands Anderson’s Cybersecurity and Technology Group can help.