VCDPA Regulations: A breakdown
While California’s CCPA and CPRA amendments get most of the spotlight for data regulations in the U.S., four other states (Connecticut, Colorado, Utah, and Virginia) also have passed comprehensive data privacy laws over the past few years.
Virginia’s law, the Virginia Consumer Data Protection Act (VCDPA), passed in March 2021 and as of January 1, 2023, is in effect. The VCDPA is extremely similar to the CPRA and GDPR, even lifting the latter’s exact wording on what constitutes consent, “freely given, specific, informed and unambiguous agreement.”
Who needs to comply with VCDPA?
- Conduct business in Virginia or market their goods and services to Virginia residents; and
A) Control or process the personal data of at least 100,000 Virginia residents; or
B) Control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data.
What is in the VCDPA?
The law does not go quite as far on some issues as those regulations do, which could explain why the law was able to pass within a single 2-month session within the Virginia state legislature. The law’s framework and bipartisan support make it an ideal model for other states to follow as the United States inches toward more complete data protection.
That speed and smoothness contrast California’s CPRA amendments, which underwent multiple rounds of changes and voting, resulting in the regulation not receiving official textual confirmation until February 2023, after the Jan 1, 2023 effective date (although ahead of the July 1, 2023 enforcement date).
Two notable differences the VCDPA has from the CPRA are the enforcement and the lack of private action.
Regarding enforcement, only the Virginia Attorney General has the power to enforce the regulations, which is how California’s CCPA was originally set up. However, California soon discovered enforcement was extraordinarily difficult under just the AG’s office, which is why they expanded enforcement in the CPRA amendments. Virginia’s regulation is again testing if an AG office is vigilant enough to make the law matter.
While fines are set up to $7,500 per violation, the VCDPA does not have the right of private action, meaning that individuals may not bring lawsuits against companies that violate their data rights.
What are those data rights protected by the VCDPA? The list is what you would expect, given existing regulations.
VCDPA Sensitive Personal Data Categories and Consumer Rights
Virginia’s data protection lists include sensitive personal data categories as:
- Religious beliefs
- Information on race, ethnicity or sexual orientation
- Mental and physical health diagnoses *(though unrelated to HIPAA data)
- Citizenship and immigration status
- Genetic and biometric data
- Geolocation tracking data
The VCDPA grants consumers the following rights in regards to their personal data:
- The right to know, access and confirm personal data.
- The right to delete personal data.
- The right to correct inaccuracies in personal data.
- The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company).
- The right to opt out of the processing of personal data for targeted advertising and sales purposes.
- The right to opt out of profiling based upon personal data.
- Right to not have their personal data be processed as part of any automated decision making
- The right to not be discriminated against for exercising any of the aforementioned rights.
For data subject access request handling, companies need to acknowledge requests immediately upon receipt and have 45 days to respond to a request.
This means the VCDPA grants the baseline of DSAR that the GDPR established, but it also gives users opt out rights from both having their data sold to third parties AND having personal data processed at all, a key step forward in the initial legislation.
The VCDPA does have a few exemptions for data the regulation does not cover, a much wider group of categories than the CPRA exempts, in addition to a more generous acceptance of what is "publicly available information" and thus also not bound by the regulations:
- HIPAA-protected health information (PHI) & HIPAA-defined data in the interest of public health
- Data regulated by the Fair Credit Reporting Act
- Private information about human subjects involved in research studies
- Information regarding the federal Health Care Quality Improvement Act of 1986
- Data regulated by the Family Educational Rights and Privacy Act
- Data around financial institutions’ requirement to safeguard data
As noted above, VCDPA enforcement falls on the Office of the Virginia Attorney General. When the Attorney General is notified of a violation, a business will have a 30-day “cure period” to amend the issue. If the organization fails to do so, violations carry penalties of up to $7,500 per violation.
Companies are also required to notify affected subjects immediately if a data breach occurs. With a violation representing an affected individual, a data breach involving just 1,000 users could cost a company as much as $7.5 million.
VCDPA will not affect state entities, colleges or universities, non-profit organizations, or organizations subject to HIPAA or the Gramm-Leach-Bliley Act.
Still, with new state-level laws carrying real disciplinary deterrence, things like keeping an up-to-date data map are more important than ever for American companies.
How Businesses Adjust to VCDPA
VCDPA presents the following obligations for businesses that fall under its jurisdiction:
- Privacy notices – Presenting consumers with “reasonably accessible, clear, and meaningful privacy notice” on how to exercise their privacy rights. These consent notices must be freely given and include details on:
a) Personal data categories a controller processes
b) Why personal data categories are being processed
c) Which personal data categories a controller shares with third parties
d) The types of third parties with whom the controller shares personal data
- Vendor contracts – Businesses classified as controllers are responsible for establishing binding contracts with processors to ensure greater transparency in data processing.
- Sensitive data processing — the VCDPA requires controllers to obtain consumer consent before processing sensitive data categories noted above. They must also obtain consent to process children’s personal information in line with the federal Children’s Online Privacy Protection Act (COPPA).
- Privacy impact assessments – Organizations must conduct data privacy impact assessments (DPIAs) to evaluate the risks and benefits of data processing activities to the consumer. DPIAs need to be carried out if consumer personal data will be:
a) Processed for all forms of targeted advertising
b) Sold to third parties
c) Used for profiling at the risk of consumers’ livelihoods
d) Considered highly sensitive
For customer-facing data privacy matters, this means consent management and transparent wording, while for back-end matters tools for DSAR handling and Data Mapping will help satisfy these requirements and get businesses in line with both the VCDPA and other state-level regulations that will likely have similar compliance baselines.