Skip links
virginia-consumer-data-protection-act

Virginia Consumer Data Protection Act: Ultimate Guide for Compliance

Governor Ralph Northam signed the (VCDPA) Virginia Consumer Data Protection Act into law on March 2, 2021.  

After California, they are the second state to institute such legislation.   

The new regulations, which officially take effect on January 1, 2023, will change how companies are allowed to collect and use their clients’ data.  

Although the law has many similarities with those in effect in California, it differs in many salient aspects.   

While it is similar in that it allows Virginia residents the right to know, access, delete, correct, and opt out of the processing and selling of their personal information for marketing and advertising purposes.    

The VCDPA more closely resembles the measures in the European Union’s GDPR (General Data Protection Regulation).   

It emphasizes ‘processer’ and ‘controller’ terminologies and data protection assessment requirements.  

It also places enforcement responsibility of the law entirely on the shoulders of the Attorney General’s office.   


Who Must Comply with VCDPA Requirements? 

This legislation applies to any company operating in Virginia or selling its products or services in the state.  

These companies either handle the personal information of over 100,000 resident clients or obtain over 50 % of their revenue from selling off personal client data.   

A company’s economic activities trigger state tax liabilities or personal jurisdiction, so they qualify as ‘doing business in the state.    

These statutes do not focus too much on the revenues or profits of the companies it targets rather than the volumes of client data they collect, process, and profit from.  

Thus, specific large organizations may find themselves exempt from the VCDPA laws.   

It affords data-specific and entity-level exemptions to companies that:   

  1. Official State agencies and institutions.
  1. Financial institutions and data falling under the GLBA (Gramm-Leach-Bliley Act) protection. 
  1. Business associates and covered entities under the Health Information Technology for Economic and Clinical Health or HIPAA (Health Insurance Portability and Accountability Act) 
  1. Non-Profit institutions.
  1. Institutions of higher learning. 


What does the VCDPA cover? 

The VCDPA is very similar to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  

The CPRA is an extension of the CCPA, but let’s stay on track.  

The VCDPA is all about consumer rights.  

That means you must comply with their regulations if you own a business in Virginia or have site visitors, manage, or collect data from Virginia residents.  

These include:    

  • The right for users to know where and from whom their data is being collected or shared. 
  • This requires a cookie banner, a specific privacy policy, and a way for users to decline or accept the terms on your website. 
  • The right to correct that information if it is not accurate. 
  • This requires a simple way for anyone with any ability to ensure that their data is accurate while visiting or sharing from your site. 
  • The right to have an understandable and ADA-compliant privacy policy. 
  • The Americans with Disabilities Act (ADA) requires businesses to give end users reasonable access to the information they are presenting. If someone can’t read, hear, or understand a privacy policy, they can’t agree. That makes sense. 
  • The right to delete information if necessary. 
  • When someone doesn’t want their data shared or did it without knowing, they should be able to delete it. 
  • The right to opt in or opt out of sharing data. 
  • If an end user does not want their data shared with a specific industry or entity, they should be able to say no. If they do want it shared, they can easily say yes. 

Virginia’s Privacy Law: Details and Definitions 

The VCDPA defines personal data as any information that may be reasonably linkable or linked to an identifiable or identified natural living person.  

However, this excludes publicly available information, pseudonymous data (data that cannot be linked directly to a person without more details), or employment data.   
 

Consumer Rights to Personal Information 

Under this law, a ‘consumer’ is anyone who resides in Virginia, excluding those acting in employment or professional contexts, meaning that business-to-business interactions are exempt.   
 

Access, Deletion, Anti-discrimination, and Correction 

Under the VCDPA, residents of Virginia will enjoy the right to access, delete, or correct their data.  

In addition, those in control of their information will be compelled to implement mechanisms providing effective means by which consumers can carry out such procedures and describe them in privacy notices.   

This legislation offers controllers fewer avenues they can use to deny these capabilities to consumers who request them.  

The VCDPA also protects all consumers who exercise their rights through this legislation.   
 

Opt-Out Rights 

Under this law, Virginians will have broader opt-out rights than those affected in California.  

Californians can only opt out of selling their information when the sale is directly tied to monetary gain (transfers to processors and affiliates are exempt) or for behavioral cross-context advertising.  

The VCDPA goes further, allowing consumers to opt out of targeted advertising programs.  

They may also opt out of any processing resulting in profiling that might have legal ramifications.    
 

Opt-in Rights 

Under these new regulations, consumers can choose whether ‘sensitive’ personal data may be processed.  

The controllers will have to ask consumers beforehand before handling such data.   

Sensitive data includes sexual orientation, immigration status, physical health diagnosis, citizenship status, mental health status, religious beliefs, racial or ethnic origin, genetic data, precise geolocation data, biometric data, and data collected from a known minor.   

The difference between this clause in Virginia’s case and what California has in place is that California companies do not have to ask individual consumers for their consent.  

However, they are limited regarding what they can do with this information once they have it. 

Business Obligations 

There are specific responsibilities placed on the shoulders of organizations and businesses collecting consumer data, which include:   

Technical Safeguarding and Data Minimization 

In a nutshell, the VCDPA limits companies’ use of consumer data to what is compatible with and necessary for the purposes they had disclosed to their consumers unless they obtain their consent beforehand.  

They are also responsible for keeping any information they collect secure. 

Are there any exemptions?  

Yes, there are.  

But! It isn’t straightforward.  

Even if you are a non-profit, healthcare, education, or financial organization, you could still be fined under the VCDPA.  

It could get you into trouble if you thoroughly understand the nuances of all the exemptions.  

Let’s remember that unintentional lapses in judgment still get fined. Intentional lapses?  

If you know the law and you’re not following it, you will get in trouble.   

Virginia’s Privacy Law: A Special Legislation! 

Something unique to VCDPA is that citizens don’t have a private right to action against businesses.  

They have to go through the Attorney General first.  

This is interesting because the law is designed to protect citizens, but there are many hoops to jump through.  

Is this better for business? Not necessarily.   

Suppose an end user is so determined to take action that they contact the Attorney General, get all the necessary paperwork, and file.  

In that case, it’s a nightmare for the company they’re suing.  

Not only is the individual and company involved, but it also has government oversight.  

Now, we’re looking into audits, investigations, fines, and potentially even more lawsuits from other disgruntled customers.   

In a way, the VCDPA protects both businesses and customers.  

It ensures that everyone must go through the proper steps to get the verification they need for digital privacy and transparency.   

Compliance with VCDPA Act 

There are several ways to comply.   

  • You do it manually. This is hard work and likely distracts you from other things that keep your business running. You’ll need to stay current on all the laws, how they’re changing, and what your site needs to be compliant. 
     
  • You use a free service to help you manage laws. This may or may not be incomplete based on your business needs. The solution might need suitable regulations to ensure they follow the rules.  
     
  • You get a free trial and a talk with a privacy expert who can help you navigate your needs and how to meet them best. 

GDPR-similar Requirements 

The VCDPA is similar to European (GDPR) systems.  

It compels data controllers to carry out what they refer to as data protection assessments, which evaluate the risks to consumer data regularly.   

It also requires controllers and processors to conduct their activities under the guidance of a clearly defined data processing agreement.  

It also holds them responsible for reporting any data breaches they may experience.   

Enforcing the VCDPA 

The responsibility of making sure that the rules and regulations set out in the VCDPA are adhered to by all parties involved falls under the purview of the Attorney General’s office.   

This office may seek damages and injunctive relief to $7,500 for each VCDPA violation an entity is charged with.  

Private citizens are not granted the right to take personal action against organizations that violate their data privacy rights, while California legislation does.   


Seamless VCDPA Compliance with PrivacyPillar Privacy Solutions 

PrivacyPillar is an automated compliance solution for VCDPA and other global privacy regulations.  

It identifies sensitive information, guarantees precise categorization, simplifies consent and preferences, and automates DSAR requests.  

Its metadata-driven data catalog offers clarity, and it improves data privacy management while reducing risks.  

It provides robust solutions for privacy and compliance challenges. 

Regardless of whether a firm is subject to regulation by the VCDPA, it is still responsible for ensuring adequate security measures and preventing unauthorized access to customer data. 

Partner with PrivacyPillar and make privacy your competitive advantage by embracing the power of permission marketing that builds trust with your consumers.