Virginia Enacts a New Data Protection Law
21 February 2021
Virginia’s legislatures have recently enacted a new and comprehensive privacy act – the Virginia Consumer Data Protection Act (“VCDPA“).
While many US states have introduced privacy laws initiatives over the past year, Virginia is the first state to pass a comprehensive privacy law since California’s Consumer Protection Act (“CCPA“). There are similarities in various elements between the VCDPA and both the CCPA and the European Data Protection Regulation (“GDPR“), but as it is not identical to any of them it would require certain adjustments of compliance efforts.
The threshold of the VCDPA is different than the CCPA’s, and the law would apply to all entities that conduct business in Virginia, or produce products or services that target Virginia’s consumers, if one of the following applies to such entities:
- During a calendar year, the entity controls or process personal data of at least 100,000 consumers; or
- The entity controls or process personal data of at least 25,000 consumers and derive over 50 percent of its gross revenue from the sale of personal data.
Below are some of the key provisions of the VCDPA:
- Controllers and processors: like the GDPR, the VCDPA introduces the concepts of a “controller” and a “processor”, alongside differentiated obligations under each role. For example, controllers would be required, inter alia, to implement reasonable security measures to protect personal data, to comply with privacy rights requests within 45 days, to follow the principles of data minimization and to obtain consent for processing of sensitive data.
- Transparency: controllers are required to provide consumers with a clear and meaningful privacy notice. The privacy notice must include the categories of processed data and the purposes, the categories of personal data that are shared with third parties alongside the categories of such third parties, and instructions and means to exercise consumers’ rights.
- Data protection assessments: The VCDPA would require controllers to conduct a data protection assessment. Such assessments would be required in connection with the following processing activities: sale of personal data, targeted advertising, profiling, processing that involves sensitive data and “any processing activities involving personal data that present a heightened risk of harm to consumers“. Virginia’s Attorney General may request a controller disclose an assessment that is relevant for an investigation.
- Data protection contracts: like the GDPR, the VCDPA sets out several mandatory provisions that must be included in contracts between a controller and a processor. These provisions include, inter alia, duties of confidentiality, setting forth instructions for processing data including the nature and purpose of processing, a right of audit and data deletion
- Consumer rights: the new law will provide Virginia’s consumers with the following rights:
- Access: to confirm whether or not a controller is processing the consumer’s personal data and to access such personal data;
- Correction: to correct inaccuracies in the consumer’s personal data;
- Deletion: to delete personal data provided by or obtained about the consumer;
- Portability: to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format;
- Broad opt out: to opt out of processing of personal data for purposes of: (1) targeted advertising, or (2) sale of personal data, or (3) profiling that results in legal or similarly significant effects concerning the consumer.
- Exemptions: The VCDPA will not apply to data processed in a commercial (business-to-business) or employment context. In addition, the law will not apply to entities that are subject to the Health Insurance Portability and Accountability Act, to nonprofit organizations, to higher education institutions, to financial institutions or data that are subject to the Gramm-Leach-Bliley Act, and to processing that is authorized and regulated under the Fair Credit Reporting Act.
- Enforcement: unlike the CCPA, Virginia’s residents will not be provided with a private right of action, and Virginia’s Attorney General will have the sole authority to enforce violations of the VCDPA. Prior to initiating any enforcement action, the Attorney General will provide a 30 days’ notice identifying the specific alleged violations of the If the violations are not cured within these 30 days, the Attorney General may impose fines of up to $7,500 for each violation.
The VCDPA is still subject to Virginia’s Governor’s signature, however approval without any changes is expected, as a consolidated version of the law was approved by the state’s both House of Representatives and the Senate. The law is expected to enter into force in 1 January 2023, which is also the expected entry into force date of the California Privacy Rights Act that we recently reported about.
The VCDPA presents an important regulatory development for entities that conduct business in connection with personal data of Virginia residents – companies should examine their data flows and assess the VCDPA’s applicability over them. Feel free to contact us if you have any questions regarding the new law and its potential effects on your company’s compliance efforts.