6 Important Elements of New Virginia Consumer Data Protection Act

Virginia recently passed the Consumer Data Protection Act, known as VaCDPA, that may require companies across the U.S. to take additional steps to safeguard the data privacy of their customers beyond those currently required by law. 

Here are six important aspects of the new Virginia law companies and consumers need to know.

When is VaCDPA effective?

VaCDPA was signed into law March 3, 2021, and it will become effective Jan. 1, 2023. 

Does it apply to my company?

VaCDPA applies to for-profit companies that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:

1. during a calendar year, control or process personal data of at least 100,000 Virginia consumers or 
2. control or process personal data of at least 25,000 Virginia consumers and derive greater than 50 percent of gross revenue from the sale of such data. 

The act does not apply to nonprofits, any company subject to Gramm-Leach-Bliley Act or HIPAA, or to institutions of higher education. Unlike the California Consumer Privacy Act (CCPA), there is no revenue threshold. Due to the narrower definition of consumer, fewer companies may have to comply with VaCDPA than with CCPA.

What is “personal data” under VaCDPA?

“Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” It does not include de-identified data or publicly available information.

Will VaCDPA likely require my company to do anything beyond or different from what it is doing to comply with CCPA?

VaCDPA overlaps CCPA in many aspects, but there are some substantive differences, including some of the key definitions. Like the California law, VaCDPA requires companies to have a publicly available privacy policy, to respond to consumer data access requests, and to have a data protection agreement in place with service providers. 

Unlike the California law, VaCDPA requires a data protection assessment if the company processes personal data for purposes of targeted advertising; if it sells personal data; if it processes “sensitive personal data” (a defined term); if the processing activities present a “heightened risk of harm to consumers”; or, if there are certain enumerated “reasonably foreseeable risks.” 

For the Virginia law, personal data only relates to information of an identified or identifiable natural person and does not include publicly available information (which itself is defined more broadly than in California’s law), de-identified data, or data that only relates to or “describes” an individual. 

Personal data also excludes data of persons acting in a commercial or employment context, which means B2B contact information and employee-related information are not part of the definition. “Sale” is only if “monetary consideration” is involved, whereas the California law includes “or other valuable consideration.”

Another difference is in the opt-in versus opt-out models. Under VaCDPA, a consumer can opt out of personal data being shared only if the company is receiving “monetary consideration.” The opt-out right covers not only the sale of personal data, but also targeted advertising and profiling decisions. To collect and process “sensitive” personal data requires opt-in consent under the Virginia law unless an exemption applies (compared to CCPA, which is an opt-out right).

The right of a Virginia consumer to have their data deleted covers not only data collected from the consumer, but also data “concerning” the consumer (which appears to relate to data obtained from sources other than the consumer).

What should my company do to prepare for VaCDPA?

Here are some suggested best practices for companies preparing for the VaCDPA:

• Implement a data processing agreement with any companies that handle or process personal data, or update the company’s current agreement to comply with VaCDPA’s new requirements
• Update the website privacy policy to cover the disclosures required under VaCDPA, e.g., the process for appealing a denial of a consumer’s data rights request
• Review what data is collected, for what purpose(s), to whom it is disclosed, and whether is it “sold”
• Put in place a written policy and procedure for handling consumer data requests
• Perform a data protection assessment if required
• Review any cyber insurance policies and coverage to see whether any updates are needed

What are the enforcement aspects?

If the company does not cure a violation within the 30-day notice period from the Virginia attorney general, fines of up to $7,500 for each uncured violation, plus expenses, can be levied. However, there is no private right of action.

To obtain more information, please contact the Barnes & Thornburg attorney with whom you work or Jason Bernstein at 404-264-4040 or jason.bernstein@btlaw.com or Scott Godes at 202-408-6928 or scott.godes@btlaw.com. 

© 2021 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is proprietary and the property of Barnes & Thornburg LLP. It may not be reproduced, in any form, without the express written consent of Barnes & Thornburg LLP.

This Barnes & Thornburg LLP publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.