Virginia Consumer Data Protection Act (VCDPA)
Everything you need to know about Virginia’s comprehensive data privacy law
In 2021, Virginia became the second state after California to enact comprehensive consumer privacy legislation. With several key differences between the two laws, the VCDPA offers an alternative model for other states planning to enact their own data and privacy protections.
Bloomberg Law delivers expert analysis on the issues shaping state, federal, and international data and privacy laws. From risk mitigation and compliance challenges to legislative initiatives affecting how companies do business, rely on Bloomberg Law for the actionable guidance you need to make informed decisions.
Data privacy law topics
Consumer Data Privacy Laws
California Consumer Privacy Laws
GDPR
Authoritative analysis on privacy and data security law
With evolving and emerging technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and practice tools give you deeper insights that help you stay ahead of privacy and data security developments and protect your business.
What is the Virginia Consumer Data Protection Act (VCDPA)?
The VCDPA gives consumers the right to access their personal data and request that it be deleted by businesses. It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes. The law even contains some restrictions on the use of de-identified data, or data modified to no longer directly identify individuals from whom the data were derived.
Entities conducting business in Virginia must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. To be subject to the law, entities must control or process:
- the personal data of at least 100,000 consumers in a calendar year, or
- the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.
When did the VCDPA take effect?
The VCDPA went into effect Jan. 1, 2023.
Where is the VCDPA codified?
The VCDPA is codified at Va. Code §§ 59.1-575—59.1-585.
What rights do consumers have?
The VDCPA specifies six consumer rights:
- the right to confirm whether a controller is processing the consumer’s personal data;
- the right to access the personal data processed by a controller;
- the right to correct inaccuracies in the consumer’s personal data;
- the right to delete personal data provided by or obtained about the consumer;
- the right to obtain a copy of the personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format; and
- the right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling.
Who is a ‘consumer’?
A consumer is a natural person who is a resident of Virginia acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.
What does the ‘processing’ of personal data mean?
Processing means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
What is ‘targeted advertising’?
Targeted advertising means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests. Consumers have the right to opt out of targeted advertising.
What constitutes the ‘sale’ of personal data?
The “sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party. Consumers have the right to opt out of the sale of personal data.
What is ‘profiling’?
Profiling means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Consumers have the right to opt out of profiling.
What types of consumer data does the VCDPA protect?
Personal data
The VCDPA defines personal data as any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.
Sensitive data
The VCDPA defines sensitive data as a category of personal data that includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- The personal data collected from a known child; or
- Precise geolocation data.
Is sensitive data treated differently from personal data?
Yes. The VCDPA prohibits the processing of sensitive data without obtaining consumer consent (Va. Code § 59.1-578). The processing of sensitive data also triggers the obligation to conduct and document a data protection assessment (Va. Code § 59.1-580).
What constitutes ‘consent’?
Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
What types of data are exempt from the VCDPA?
The VCDPA exempts certain information covered by federal laws and regulations, such as:
- HIPAA
- Common Rule
- Fair Credit Reporting Act
- Driver’s Privacy Protection Act
- Family Educational Rights and Privacy Act
The VCDPA also exempts certain information processed or maintained in the employment context (Va. Code § 59.1-576.C).
Who does the VCDPA apply to?
The VCDPA imposes obligations on persons that either conduct business in the commonwealth or produce products or services that are targeted to residents of the commonwealth and that:
- control or process personal data of at least 100,000 consumers during a calendar year; or
- control or process personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
Who is exempt from the law?
The VCDPA exempts the following entities:
- any body, authority, board, bureau, commission, district, or agency of the commonwealth or of any political subdivision of the commonwealth;
- any financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act;
- any covered entity or business associate governed by HIPAA’s privacy, security, and breach notification rules;
- any nonprofit organization; and
- any institution of higher education.
Compliance for data controllers
Who is a ‘controller’?
A controller is the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.
What are the main obligations and requirements of a controller?
Under the VCDPA, controllers are obligated to:
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Establish one or more secure and reliable means for consumers to submit a request to exercise their consumer rights.
- Disclose any sale of personal data to third parties or any processing of personal data for targeted advertising and provide a means for consumers to exercise their right to opt out of such processing.
- Provide consumers with a reasonably accessible, clear, and meaningful privacy notice.
Are there special obligations related to de-identified personal data?
Yes. A controller in possession of de-identified data must:
- Take reasonable measures to ensure that the data cannot be associated with a natural person;
- Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
- Contractually obligate any recipients of the de-identified data to comply with all provisions of the VCDPA.
Complying with consumer rights requests
To facilitate the exercise of consumer rights, the VCDPA requires a controller to:
- establish a process for consumers to submit authenticated requests to exercise their consumer rights;
- comply with consumer requests to exercise their rights;
- respond to consumer requests within 45 days of receipt;
- respond free of charge, up to twice annually per consumer;
- consider appeal of the decision;
- establish a process for a consumer to appeal the refusal to take action.
When can a controller refuse to comply with an authenticated consumer rights request?
A controller (or processor) need not comply with an authenticated consumer rights request if all the following are true:
- The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
- The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
- The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted.
When must a controller perform a data protection assessment?
A controller must conduct and document a data protection assessment in each of the following circumstances:
- when processing personal data for purposes of targeted advertising;
- when selling personal data;
- when processing personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;
- when processing sensitive data; and
- for any processing of personal data that presents a heightened risk of harm to consumers.
What must be included in a data protection assessment?
A data protection assessment must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.
Are data protection assessments for internal use only?
No. The Virginia attorney general may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general. The attorney general may evaluate the data protection assessment for compliance with the responsibilities set forth in Va. Code § 59.1-578.
What is a controller prohibited from doing?
The VCDPA prohibits a controller from:
- Processing personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes, unless the controller obtains the consumer’s consent;
- Processing sensitive data concerning a consumer without obtaining the consumer’s consent;
- Discriminating against a consumer for exercising any consumer right;
- Attempting to waive or limit consumer rights in any way.
Compliance for data processors
Who is a ‘processor’?
A processor is a natural or legal entity that processes personal data on behalf of a controller.
What are the main obligations and requirements of a processor?
A processor must adhere to the instructions of a controller and must assist the controller in meeting its obligations under the VCDPA.
Data processing contracts
A contract between a controller and a processor governs the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
What specific terms must be included in a processor’s contract?
The contract must require the processor to:
- Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
- At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in the VCDPA.
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor.
- Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
Who enforces the VCDPA?
The Virginia attorney general has exclusive authority to enforce the VCDPA (Va. Code § 59.1-584).
Is there an opportunity to cure?
Yes. Prior to initiating an action, the attorney general must provide a controller or processor 30 days’ written notice identifying the specific provisions alleged to have been, or that are being, violated. If within the 30-day period the controller or processor cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further violations shall occur, no action shall be initiated against the controller or processor.
What are the consequences for non-compliance?
If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the attorney general, the attorney general may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation.
How is the VCDPA different from the CCPA?
At just eight pages, the VCDPA is significantly more succinct than the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Analysis by Bloomberg Law suggests that the law’s brevity and clarity may result in the VCDPA becoming a model for future privacy legislation.
The VCDPA clearly defines whose personal data is covered, describing consumers as Virginia residents “acting only in an individual or household context.” It further clarifies that consumers are not those acting in a “commercial or employment context.” Unlike California, where the now-expired B2B and employee exclusions have been the subject of several statutory amendments, Virginia has chosen not to leave those potential compliance hurdles up in the air.
Additionally, businesses must satisfy one of the thresholds to fall within the statute’s scope, and unlike California, the VCDPA makes no mention of a threshold based solely on annual gross revenue. Entities are not left to question whether the processing of data from a dozen or so consumers will subject them to the law.
Virginia’s law has no significant recordkeeping requirements, aside from documenting data protection assessments. If a business already has in place a GDPR- or CCPA-compliant process for receiving and responding to data subject or consumer access requests, that process should be sufficient to handle requests from Virginia residents.
What are some limitations to the VCDPA?
The Virginia law has carve-outs for protected health information under the Health Insurance Portability and Accountability Act (HIPAA), as well as for personal data regulated by the Family Educational Rights and Privacy Act (FERPA). Those falling outside the scope of the law also include state agencies, nonprofit organizations, colleges and universities, and entities or data subject to Title V of the Gramm-Leach-Bliley Act (GLBA), which largely regulates banks and other financial institutions.
Virginia residents can’t sue directly over violations of the law. Enforcement is left in the hands of the state attorney general, who can seek damages of up to $7,500 per violation.
A plus for business is the law’s 30-day cure period, which allows companies that receive letters alleging noncompliance to communicate with the attorney general’s office and remedy any potential violations before fines are imposed.
Additionally, unlike the CCPA, the Virginia data privacy law explicitly allows businesses to offer different prices and levels of service to consumers enrolled in loyalty programs without having to comply with certain obligations.
Authoritative analysis on consumer data privacy laws from Bloomberg Law
From live events to in-depth reports, discover singular thought leadership on consumer data privacy laws across the U.S. and around the world. Our expert network of analysts are always on the case, so you can make yours.
Save valuable time when you trust Bloomberg Law to tackle complex data privacy requirements with ease. Request a demo to learn more.