Legal and Data Privacy Writer at TermsFeed.
On this page
- 1. What is Virginia's Consumer Data Protection Act (VCDPA)?
- 1.1. What is Personal Data?
- 1.2. The VCDPA's Definitions
- 2. Who Does the VCDPA Apply to?
- 3. Who the VCDPA Doesn't Apply to
- 3.1. Excluded Entities
- 3.2. Exempted Data Sets
- 4. Requirements of the Virginia Consumer Data Protection Act (VCDPA)
- 4.1. Practice Data Minimization
- 4.2. Have a Privacy Notice
- 4.3. Have a Security Provision
- 4.4. Obtain Consent
- 4.5. Disclose Consumer Rights
- 5. Summary
The Virginia Consumer Data Protection Act (VCDPA) gives residents of the Virginia Commonwealth control over how companies collect and process their personal data.
As a comprehensive data privacy legislation, the VCDPA serves to empower the residents of Virginia with regard to the sale or processing of their personal data. Moreover, the law was modeled after other prominent privacy laws, such as the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
In this article, we will answer some key questions about the VCDPA, help you find out if your business falls under its jurisdiction, and provide some practical information for your compliance with the law.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
What is Virginia's Consumer Data Protection Act (VCDPA)?
The VCDPA is a privacy bill that sets up a framework for managing and processing personal data in Virginia. It was designed to provide residents of the Commonwealth with certain new rights regarding the collection, processing, or sale of their personal data.
These rights include:
- The right to access their personal data
- The right to request and obtain their personal data in a functional and portable format
- The right to rectify inaccurate information about themselves
- The right to delete their personal data
- The right to opt-out of the sale or processing of their personal data at any time for targeted advertising or any kind of profiling
By signing the CDPA into law, Virginia became the second state in the US to enact a comprehensive data privacy law after California. Although, unlike the CCPA, Virginia's CDPA is more explicit in its definitions and exemptions.
What is Personal Data?
Personal data is simply any data that can be used to identify a natural person. Common examples include names, dates of birth, email addresses, identification numbers, and so on.
Under the VCDPA, personal data is defined more specifically as:
"Any information that is linked or reasonably linkable to an identified or identifiable natural person."
The law further classifies a category of personal data known as sensitive data, which you must take measures to protect. They include:
- Racial or ethnic origin data
- Immigration or citizenship status
- Physical or mental health diagnosis
- Precise geolocation data
- Religious beliefs
- Personal data obtained from a known child
- Sexual orientation
- Genetic or biometric data
However, personal data does not include:
- De-identified data (i.e., any data from which all personally identifiable information has been removed)
- Publicly available information
The VCDPA's Definitions
To find out if your company is subject to the VCDPA, you need to understand how the law defines certain terms.
A consumer (for purposes of the VCDPA) is a natural person who is a resident of Virginia and acts only in an individual or household context.
The definition does not include a person acting in a commercial or employment context.
Processing means anything you do with a consumer's personal data while it's under your control. It includes collecting, storing, using, analyzing, modifying, disclosing, and deleting the data.
Under the VCDPA, consent refers to a clear approving act that indicates a freely given, precise, and informed agreement to process the personal data of a consumer.
With that said, consent may include a written statement or report (including one written electronically) or any other explicit approving action.
Under the law, a controller is an individual or company that collects personal data from consumers, defines the purpose for its collection, and determines how it will be processed.
Who Does the VCDPA Apply to?
The VCDPA applies to anyone that conducts business in the commonwealth of Virginia. It also applies to those who offer products or services that target Virginia's residents regardless of where they are based.
For example, if you manage a music streaming website based in Florida, but your services are used by some residents of Virginia, you may be required to comply with the VCDPA.
In addition, Virginia's VCDPA expands its scope by demanding compliance if you either:
- Process the personal data of at least 100,000 consumers in one calendar year, or
- Earn more than 50% of your gross revenue from selling personal data and process the information of at least 25,000 consumers
To put this in context, a social media company in California that collects details like names and email addresses (aka personal data) from its users will be subject to the VCDPA if it has over 100,000 users in a year, some of which are from Virginia.
Alternatively, such a company will be subject to the law if it has at least 25,000 users and sells their data to obtain over half of its revenue.
It is worth noting that the gross revenue from selling personal information is defined as "monetary consideration" in the VCDPA unlike the broader "valuable consideration" seen in the CCPA.
To sum it up, Virginia's VCDPA has a two-part process to determine if your business falls under its jurisdiction.
First, examine the geographic distribution of your users to see if there are any from Virginia. If yes, then you're halfway there.
The next and final step is to evaluate the volume of personal data you manage and the gross revenue from its sale. If both these steps satisfy the terms above, the VCDPA applies to you.
Who the VCDPA Doesn't Apply to
The CDPA provides quite a long list of exemptions from its coverage, including certain entities and various types of data governed by federal law.
Let's look at the entities that do not have to comply with Virginia's VCDPA.
- Any authority, body, bureau, board, commission, district, Virginian agency, or political subdivision of Virginia
- Covered entities or business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
- Financial institutions or data covered by the Title V of the federal Gramm-Leach-Bliley Act (GLBA)
- Higher-education institutions
- Nonprofit organizations
For example, bodies like public charities, health maintenance organizations, political parties, universities, banks, insurance companies, and similar groups are all exempted from complying with the VCDPA.
Exempted Data Sets
In addition to the list of entities excluded from its coverage, the VCDPA exempts specific categories of data. They include:
- Personal health information under the HIPAA
- Certain personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
- Certain sets of data governed by the Fair Credit Reporting Act (FCRA)
- Personal data regulated by the federal Farm Credit Act (FCA) of 1933
- Personal data collected, processed, or sold in compliance with the federal Driver's Privacy Protection Act (DPPA)
- Specific data relating to employment
Finally, if you already comply with the parental consent requirements of the Children's Online Privacy Protection Act (COPPA), you are excluded from having to comply with the CDPA's parental consent obligation.
Requirements of the Virginia Consumer Data Protection Act (VCDPA)
Now that we understand what the law is and who it applies to, let's see the requirements of Virginia's VCDPA if your business falls under its jurisdiction.
Practice Data Minimization
Under Virginia's VCDPA, you (as a controller of personal data) must minimize the volume of personal data you obtain from consumers, collecting only relevant, adequate, and reasonably necessary information.
Additionally, unless you obtain consumer consent, you must not process personal data beyond the purpose for which it is meant.
The bottom line here is to collect only relevant, necessary information and ensure it is processed or used for the pre-established purpose.
Have a Privacy Notice
Your Privacy Notice should include:
- The categories of personal information you process
- The reasons for processing them
- The rights users have over their data, and how they may exercise them
- The type of personal information you share with third parties (if any)
- The categories of third parties (if any) with whom you share personal data
Facebook meets this requirement by providing a detailed Data Policy that outlines the listed points above:
Have a Security Provision
Another essential requirement of the VCDPA is to develop, implement, and maintain security systems to protect the integrity, confidentiality, and accessibility of personal data.
In addition, the law states that the level of security should be relative to the volume and type of personal data being protected. In essence, the more data you process, the better the security measures you need to provide.
Here's how PayPal shows compliance with the security provision requirement of the VCDPA:
A major requirement of the VCDPA is to obtain consumers' approving consent before attempting to process their personal or sensitive data.
If the consumer is a known child (i.e., a minor), you must adhere to the parental consent requirement of the VCDPA, unless you already comply with the COPPA as previously stated.
Disclose Consumer Rights
Finally, the VCDPA requires you to inform consumers of their rights under the law and how they may exercise them.
With the VCDPA's introduction, more and more states are starting to contemplate data protection laws to make consumers true owners of their personal information.
In a statement, State Sen. David W. Marsden, D-Fairfax (a sponsor of the VCDPA) said:
"This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers."
Here's a quick refresher to help you find out if the VCDPA applies to you.
Consider the following questions:
- Is your company based in Virginia?
- Do you offer products or services targeted at Virginia residents?
- Do you control or process the personal data of more than 100,000 consumers in a calendar year?
- Do you control or process the personal data of more than 25,000 consumers?
- Do you obtain over half of your gross revenue from selling personal information?
In light of the above, if your business falls under the VCDPA's scope, you must comply with the requirements listed in this article. Failure to do so may result in a fine of up to $7,500 for each violation by the Virginia State Attorney General.