Virginia Consumer Data Protection Act (VCDPA) Amendments and Clarifications

Virginia signed the Virginia Consumer Data Protection Act (VCDPA) into law on March 2, 2021, and became the second state after California to officially enact comprehensive consumer data privacy legislation. The VCDPA gives Virginians the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes.

On April 11, 2022, Virginia Gov. Glenn Youngkin approved amendments to the VCDPA ahead of its Jan. 1, 2023, effective date, with a goal to provide clarity for companies preparing to comply with the new law.

In summary, the approved amendments add an exemption to the law’s right to delete, modify its definition of “nonprofit,” and alter the funding structure for enforcement. Read on to learn more about the VCDPA amendments and understand how they may impact the work of in-house counsel, attorneys, and legal professionals advising clients on the VCDPA’s implementation.

What VCDPA amendments were approved?

Following the VCDPA’s passage in 2021, the Virginia legislature created the VCDPA Work Group of the Joint Commission on Technology and Science to study findings, best practices, and recommendations prior to the January 2023 implementation of the act. The approved VCDPA amendments were inspired by the Work Group’s final report, which was produced after six meetings were convened in 2021.

‘Right to delete’ exception

The VCDPA gives consumers the right to delete and empowers Virginians to request the deletion of personal data. The first set of amendments (SB 393 and HB 381) establishes an exception to the VCDPA’s right to delete, which applies in instances where personal data is collected from a source other than the consumer. Under this exception, data may be considered deleted in instances where either:

1. A minimal record of the deletion request is retained for the exclusive purpose of ensuring the consumer’s data is/remains erased; or
2. The consumer has opted out of all nonexempt data processing activities (e.g., targeted advertising and sales).

Elimination of the Consumer Privacy Fund

The original VCDPA legislation called for the creation of a Consumer Privacy Fund that would have stored civil penalties collected from enforcement of the law. The second set of amendments (SB 534 and HB 714) eliminates the Consumer Privacy Fund and diverts all funds collected under this law to the state treasury’s Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.

These amendments also redefine VCDPA-exempt “nonprofit organizations” to include tax-exempt political organizations. Find out which entities are exempt from VCDPA.

How should companies comply with the VCDPA and its new amendments?

The VCDPA imposes obligations on companies that conduct business in Virginia or produce products or services that are targeted to residents of the commonwealth. These companies must satisfy one of these two thresholds to fall within the statute’s scope.

The VCDPA amendments do not significantly alter the way companies conducting business in Virginia should approach compliance. Rather, these amendments aim to provide clarity on questions that surfaced after the law’s initial passage.

In general, the VCDPA requires a controller – defined as the natural or legal person who, alone or jointly with others, determines the purpose and means of processing personal data – to ensure processes are in place that allow Virginians to exercise their consumer rights.

Aside from documenting data protection assessments, Virginia’s law has no significant recordkeeping requirements. In fact, if a business already has a process for receiving and responding to data subject or consumer access requests that is compliant with the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA), that system should be sufficient to handle requests from Virginia residents.

Are additional VCDPA amendments or clarifications anticipated?

Changes to other state privacy laws, or new federal rules, could prompt Virginia’s legislature to restart the amendment process. And the chances of a federal privacy law being enacted increase when more states pass consumer privacy legislation, according to WilmerHale Cybersecurity and Privacy Attorney Kirk J. Nahra in Bloomberg Law’s 2022 Outlook on Privacy & Data Security.

Experts including Nahra anticipate a national privacy law may become inevitable. In the meantime, one particular issue that could trigger additional VCDPA amendments is the subject of universal opt-out mechanisms, which allow consumers to indicate their privacy choices across websites. The VCDPA in its current form does require businesses to respect opt-out preference signals. However, the aforementioned VCDPA Work Group report recommends that the legislation honor a global opt-out setting selected by consumers.

Singular thought leadership on data privacy from Bloomberg Law

As consumer data privacy laws and issues continue to unfold, stay ahead of developments with expert analysis, comprehensive coverage, news, and practice tools from Bloomberg Law. Watch our on-demand In-House Forum on managing data and customer privacy to learn to successfully manage data and privacy and find the right balance between oversight and keeping up with rapidly changing requirements.

Save valuable time when you trust Bloomberg Law to keep up with VCDPA developments and complex compliance questions with ease. Sign up for your guided Bloomberg Law demo today.