TOPIC
What Is the Virginia Consumer Data Protection Act (VCDPA)?
August 4, 2021
On March 2, 2021, Virginia Gov. Ralph Northam (D) signed the Virginia Consumer Data Protection Act (VCDPA) into law, making Virginia the second state after California to officially enact comprehensive consumer privacy legislation. The VCDPA will go into effect Jan. 1, 2023.
What is the Virginia Consumer Data Protection Act (VCDPA)?
The VCDPA gives consumers the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes.
Entities conducting business in Virginia must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. Entities must control or process (i) the personal data of at least 100,000 consumers in a calendar year, or (ii) the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.
Subscribers Only: Privacy and Data Security Practice Center
From practical guidance to tracking the latest legal developments, our Privacy and Data Security Practice Center offers Bloomberg Law subscribers access to deeper insights into Virginia data privacy legislation and more.
How does the VCDPA differ from the CCPA?
At just eight pages, the VCDPA is significantly more succinct than the California Consumer Privacy Act (CCPA). Experts such as Mark Smith, Bloomberg Law legal analyst, believe its brevity and clarity may result in the VCDPA becoming a model for future privacy legislation.
The VCDPA clearly defines whose personal data is covered, describing consumers as Virginia residents “acting only in an individual or household context.” It further clarifies that consumers are not those acting in a “commercial or employment context.” Unlike California, where the B2B and employee exclusions have been the subject of several statutory amendments, Virginia has chosen not to leave those potential compliance hurdles up in the air.
Additionally, businesses must satisfy one of the aforementioned thresholds to fall within the statute’s scope, and unlike California, the VCDPA makes no mention of a threshold based solely on annual gross revenue. Entities are not left to question whether the processing of data from a dozen or so consumers will subject them to the law.
Virginia’s law has no significant recordkeeping requirements, aside from documenting data protection assessments. If a business already has in place a GDPR- or CCPA-compliant process for receiving and responding to data subject or consumer access requests, that process should be sufficient to handle requests from Virginia residents.
Analysis: Virginia, Not California, Is Privacy’s Next Top Model
Read the full analysis of the similarities and differences between the Virginia and California data privacy legislation.
What are some potential points for clarification in the VCDPA?
1. Applicability
The VCDPA applies to persons who “conduct business” in the Commonwealth or produce products or services that are “targeted” to residents of Virginia. The statute, however, does not define what “targeted” means.
2. Right to Delete
The VCDPA permits consumers to request the deletion of personal data, but it fails to set forth any specific exceptions to the right to delete.
3. Access and Data Portability
The VCDPA grants consumers a right to obtain a copy of their personal data, and it specifically indicates that the copy be provided “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance ….” But that provision also includes a modifier: “where the processing is carried out by automated means.” Experts say it’s not clear what, exactly, “automated means” modifies.
4. Targeted Advertising
The VCDPA defines “personal data” as any information that is “linked or reasonably linkable to an identified or identifiable natural person,” but it does not include information that could be linked to a consumer’s device.
It’s questionable whether the legislature intended to permit the use of cookies and IDFAs (Identifiers for Advertisers).
5. Children’s Data
While the VCDPA extends to both online and offline data collection practices, it specifies that if a consumer is a child, the controller must comply with the federal Children’s Online Privacy Protection Act (COPPA). But COPPA applies only to personal information collected from children online. Does that leave controllers off the hook if they collect personal data from children offline?
Analysis: Five Subtle Ambiguities in Virginia’s Privacy Law
Read the full article for more in-depth analysis of a handful of points from the VCDPA that experts say could use additional clarification.
What are some limitations to the VCDPA?
The Virginia law has carve-outs for protected health information under the Health Insurance Portability and Accountability Act (HIPAA), as well as for personal data regulated by the Family Educational Rights and Privacy Act (FERPA). Those falling outside the scope of the law also include state agencies, nonprofit organizations, colleges and universities, and entities or data subject to Title V of the Gramm-Leach-Bliley Act, which largely regulates banks and other financial institutions.
Virginia residents won’t be able to directly sue over violations of the law. Enforcement will be left in the hands of the state attorney general, who can seek damages of up to $7,500 per violation.
A plus for business is the law’s 30-day cure period, which allows companies that receive letters alleging noncompliance to communicate with the attorney general’s office and remedy any potential violations before fines are imposed.
Additionally, unlike the CCPA, the Virginia data privacy law explicitly allows businesses to offer different prices and levels of service to consumers enrolled in loyalty programs without having to comply with certain obligations.
A Glossary of Terms for Decoding CCPA/CPRA
To help you navigate significant changes to the data privacy landscape, this glossary outlines key terms in the CCPA and CPRA, as defined by the texts of both laws.
On-Demand Video: Bloomberg Law In-House Forum
The Higher Bar for Managing Data & Privacy: What Does “Good” Look Like Now?
This year’s In-House Forum focused on providing insight into success stories and practical solutions to key cybersecurity and privacy issues, so senior corporate leaders can understand how they stack up and how they can raise the bar in their own organizations.
Legal Research and Practice Tools:
With evolving and emerging technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and practice tools will help you stay ahead of privacy and data security developments and protect your business.
Access to this information requires a subscription to Bloomberg Law. Don’t have access? Request a demo.
Virginia Consumer Data Protection Act Glossary
This comprehensive glossary is your tool to understanding key terms in Virginia Consumer Data Protection Act (VCDPA).
CCPA/CPRA Comparison Tables
Compare the texts of the California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, and the subsequent California Privacy Rights Act (CPRA), which significantly amends the CCPA.
In Focus: Biometrics
Find everything you need to know about laws and regulations related biometric and facial recognition technology.