Skip to main content

Now Is The Time to Check Compliance with Virginia Data Protection Law

Kelly Ruane Melchiondo

Did Your Company Assess its Data Collection Practices and Update Its Privacy Policy on January 1, 2023 to Comply with Virginia’s Consumer Data Protection Law?

Electronic Illustration of a digital filing cabinet to denote the collection of personal data

The Commonwealth of Virginia passed its comprehensive Virginia Consumer Data Protection Act on March 2, 2021. Virginia generously allowed nearly two years for companies that are subject to the VCDPA to assess its data collection and processing practices, and among other things, draft Privacy Policies compliant with the new law’s requirements. The VCDPA took effect on January 1, 2023. If your company is subject to the VCDPA, and did not assess its data collection and processing practices or revise its Privacy Policy to comply as of January 1, 2023, now is the time to do it.

Who Is Subject to the VCDPA?

The VCDPA applies to companies that do business in Virginia, or that produce products or services targeted to residents of Virginia. Specifically, the VCDPA applies to companies that either “control” or “process” the personal data of at least 100,000 consumers from Virginia, or “control” or “process” personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.

The VCDPA does not apply to government entities, non-profit organizations, higher education institutions, or healthcare and financial institutions that are subject to other federal privacy laws such as HIPAA or the Graham-Leach-Bliley Act.

What is “Personal Data”?

Like “personal information” in many other jurisdictions, “personal data” is any information that is linked, or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data, or publicly available information. 

The VCDPA also defines “sensitive data” as information collected from known children under the age of 13, genetic or biometric data if processed to identify individuals, geolocation data precise to within a radius of 1,750 feet, citizenship or immigration status, racial or ethnic origin, religious beliefs, sexual orientation or activities, or mental or physical health diagnoses.

What Do “Control” and “Process” Mean?

“Controlling” means a person or entity that determines the purpose and means of processing personal data.

“Processing” means any operation performed, whether manually or using automated means, on personal data. This includes collecting, storing, disclosing to other persons, analyzing, deleting or modifying personal data.

Simply put, a “controller” is a person or company that determines how data will be collected, stored, disclosed, shared, analyzed, deleted or modified. The “processor” is the entity that actually stores, discloses, analyzes, deletes or modifies that data.         

What Does the VCDPA Require Businesses to Do?

The VCDPA requires covered entities to be transparent about their use of personal data, and to offer consumers control over their personal data. Virginia residents have the following specific rights:

  • Right of Access: Virginia residents have the right to confirm whether businesses are processing their personal data, and the right to access that information.
  • Right of Correction: Virginia residents have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of processing.
  • Right of Deletion: Virginia residents have the right to delete the personal data they have provided, or that the entity has collected from them. Unlike in other jurisdictions, there are no exceptions to this right of deletion in Virginia.
  • Right of Portability: Virginia residents have the right to obtain a copy of the personal data that was previously provided in a portable and readily usable format that can be transmitted to another business, where the processing is carried out by automated means, if it is technically feasible to do so.
  • Right to Opt Out: Virginia residents have the right to opt out of (i) targeted advertising; (ii) the sale of their personal data and (iii) any profiling using the data that might produce legal or similarly significant effects.

The VCDPA prohibits covered entities from processing any “sensitive data” without first obtaining the consumer’s consent. Consent must be provided by a clear affirmative act, signifying the consumer’s freely given, specific, informed and unambiguous agreement.

Finally, the VCDPA requires data controllers to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that includes the categories of personal data the controller processes and the purpose for processing that data, how consumers may exercise the rights outlined above, the categories of any personal data shared with third parties, if any, and the categories of third parties, if any, with which the controller shares personal data. Any privacy notice must also clearly include at least one or more secure and reliable means for consumers to submit requests to exercise their rights under the VCDPA.

What Are the Penalties for Violating the VCDPA?

The VCDPA affords Virginia’s attorney general the sole enforcement rights over VCDPA violations. Virginia’s attorney general can impose civil penalties of up to $7,500 per violation for each violation of the VCDPA. Before any such penalties are imposed, the Virginia attorney general must provide companies with 30-days notice of a violation and an opportunity to cure, which means to correct issues that led to the violation.

Because the Virginia law is nearly as comprehensive as California’s Consumer Privacy Act, companies that comply with California’s stringent requirements likely comply with the VCDPA. However, because of the nuances of the Virginia law, it is important to assess compliance with the VCDPA specifically. Companies that may be covered under the VCDPA, but have yet to assess their compliance with the VCDPA, or bring their Privacy Policies up to date with Virginia-specific language, should do so now. 

Related Practices
Speaking Engagement July 19, 2024
Howard E. Nelson participates on the panel Hot Topics/Emerging Issues In Waste Management at the 38th Annual Environmental Permitting Summer School. The panelists discuss the latest policy changes including new emerging elements for site closures involving Water Management Districts, the effects of ...
Speaking Engagement July 18, 2024
Thomas F. Mullin participates on the panel Keeping Your Eye On The Ball: Scoping The Appropriate Environmental Due Diligence For The Project at the 38th Annual Environmental Permitting Summer School. The panelists discuss appropriate scoping of the environmental due diligence process, taking into co...
Speaking Engagement July 17, 2024
Howard E. Nelson participates on the panel Land and Golf Course Redevelopment: Opportunities and Challenges at the 38th Annual Environmental Permitting Summer School. The panelists discuss how to navigate the substantial challenges regarding land use, availability of water (quantity and quality), an...