Who Is Subject to the VCDPA?
The VCDPA applies to companies that do business in Virginia, or that produce products or services targeted to residents of Virginia. Specifically, the VCDPA applies to companies that either “control” or “process” the personal data of at least 100,000 consumers from Virginia, or “control” or “process” personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.
The VCDPA does not apply to government entities, non-profit organizations, higher education institutions, or healthcare and financial institutions that are subject to other federal privacy laws such as HIPAA or the Graham-Leach-Bliley Act.
What is “Personal Data”?
Like “personal information” in many other jurisdictions, “personal data” is any information that is linked, or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data, or publicly available information.
The VCDPA also defines “sensitive data” as information collected from known children under the age of 13, genetic or biometric data if processed to identify individuals, geolocation data precise to within a radius of 1,750 feet, citizenship or immigration status, racial or ethnic origin, religious beliefs, sexual orientation or activities, or mental or physical health diagnoses.
What Do “Control” and “Process” Mean?
“Controlling” means a person or entity that determines the purpose and means of processing personal data.
“Processing” means any operation performed, whether manually or using automated means, on personal data. This includes collecting, storing, disclosing to other persons, analyzing, deleting or modifying personal data.
Simply put, a “controller” is a person or company that determines how data will be collected, stored, disclosed, shared, analyzed, deleted or modified. The “processor” is the entity that actually stores, discloses, analyzes, deletes or modifies that data.
What Does the VCDPA Require Businesses to Do?
The VCDPA requires covered entities to be transparent about their use of personal data, and to offer consumers control over their personal data. Virginia residents have the following specific rights:
The VCDPA prohibits covered entities from processing any “sensitive data” without first obtaining the consumer’s consent. Consent must be provided by a clear affirmative act, signifying the consumer’s freely given, specific, informed and unambiguous agreement.
Finally, the VCDPA requires data controllers to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that includes the categories of personal data the controller processes and the purpose for processing that data, how consumers may exercise the rights outlined above, the categories of any personal data shared with third parties, if any, and the categories of third parties, if any, with which the controller shares personal data. Any privacy notice must also clearly include at least one or more secure and reliable means for consumers to submit requests to exercise their rights under the VCDPA.
What Are the Penalties for Violating the VCDPA?
The VCDPA affords Virginia’s attorney general the sole enforcement rights over VCDPA violations. Virginia’s attorney general can impose civil penalties of up to $7,500 per violation for each violation of the VCDPA. Before any such penalties are imposed, the Virginia attorney general must provide companies with 30-days notice of a violation and an opportunity to cure, which means to correct issues that led to the violation.
Because the Virginia law is nearly as comprehensive as California’s Consumer Privacy Act, companies that comply with California’s stringent requirements likely comply with the VCDPA. However, because of the nuances of the Virginia law, it is important to assess compliance with the VCDPA specifically. Companies that may be covered under the VCDPA, but have yet to assess their compliance with the VCDPA, or bring their Privacy Policies up to date with Virginia-specific language, should do so now.