Do I Need to Comply with Virginia VCDPA

The Virginia Consumer Data Protection Act (VCDPA) gives residents of the Virginia Commonwealth control over how companies collect and process their personal data.

As a comprehensive data privacy legislation, the VCDPA serves to empower the residents of Virginia with regard to the sale or processing of their personal data. Moreover, the law was modeled after other prominent privacy laws, such as the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

In this article, we will answer some key questions about the VCDPA, help you find out if your business falls under its jurisdiction, and provide some practical information for your compliance with the law.

What is Virginia's Consumer Data Protection Act (VCDPA)?

The VCDPA is a privacy bill that sets up a framework for managing and processing personal data in Virginia. It was designed to provide residents of the Commonwealth with certain new rights regarding the collection, processing, or sale of their personal data.

These rights include:

• The right to access their personal data
• The right to request and obtain their personal data in a functional and portable format
• The right to rectify inaccurate information about themselves
• The right to delete their personal data
• The right to opt-out of the sale or processing of their personal data at any time for targeted advertising or any kind of profiling

By signing the CDPA into law, Virginia became the second state in the US to enact a comprehensive data privacy law after California. Although, unlike the CCPA, Virginia's CDPA is more explicit in its definitions and exemptions.

What is Personal Data?

Personal data is simply any data that can be used to identify a natural person. Common examples include names, dates of birth, email addresses, identification numbers, and so on.

Under the VCDPA, personal data is defined more specifically as:

"Any information that is linked or reasonably linkable to an identified or identifiable natural person."

The law further classifies a category of personal data known as sensitive data, which you must take measures to protect. They include:

• Racial or ethnic origin data
• Immigration or citizenship status
• Physical or mental health diagnosis
• Precise geolocation data
• Religious beliefs
• Personal data obtained from a known child
• Sexual orientation
• Genetic or biometric data

However, personal data does not include:

• De-identified data (i.e., any data from which all personally identifiable information has been removed)
• Publicly available information

The VCDPA's Definitions

To find out if your company is subject to the VCDPA, you need to understand how the law defines certain terms.

1. Consumer

   A consumer (for purposes of the VCDPA) is a natural person who is a resident of Virginia and acts only in an individual or household context.

   The definition does not include a person acting in a commercial or employment context.

2. Processing

   Processing means anything you do with a consumer's personal data while it's under your control. It includes collecting, storing, using, analyzing, modifying, disclosing, and deleting the data.

3. Consent

   Under the VCDPA, consent refers to a clear approving act that indicates a freely given, precise, and informed agreement to process the personal data of a consumer.

   With that said, consent may include a written statement or report (including one written electronically) or any other explicit approving action.

4. Controller

   Under the law, a controller is an individual or company that collects personal data from consumers, defines the purpose for its collection, and determines how it will be processed.

Who Does the VCDPA Apply to?

The VCDPA applies to anyone that conducts business in the commonwealth of Virginia. It also applies to those who offer products or services that target Virginia's residents regardless of where they are based.

For example, if you manage a music streaming website based in Florida, but your services are used by some residents of Virginia, you may be required to comply with the VCDPA.

In addition, Virginia's VCDPA expands its scope by demanding compliance if you either:

• Process the personal data of at least 100,000 consumers in one calendar year, or
• Earn more than 50% of your gross revenue from selling personal data and process the information of at least 25,000 consumers

To put this in context, a social media company in California that collects details like names and email addresses (aka personal data) from its users will be subject to the VCDPA if it has over 100,000 users in a year, some of which are from Virginia.

Alternatively, such a company will be subject to the law if it has at least 25,000 users and sells their data to obtain over half of its revenue.

It is worth noting that the gross revenue from selling personal information is defined as "monetary consideration" in the VCDPA unlike the broader "valuable consideration" seen in the CCPA.

To sum it up, Virginia's VCDPA has a two-part process to determine if your business falls under its jurisdiction.

First, examine the geographic distribution of your users to see if there are any from Virginia. If yes, then you're halfway there.

The next and final step is to evaluate the volume of personal data you manage and the gross revenue from its sale. If both these steps satisfy the terms above, the VCDPA applies to you.

Who the VCDPA Doesn't Apply to

The CDPA provides quite a long list of exemptions from its coverage, including certain entities and various types of data governed by federal law.

Let's look at the entities that do not have to comply with Virginia's VCDPA.

Excluded Entities

• Any authority, body, bureau, board, commission, district, Virginian agency, or political subdivision of Virginia
• Covered entities or business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
• Financial institutions or data covered by the Title V of the federal Gramm-Leach-Bliley Act (GLBA)
• Higher-education institutions
• Nonprofit organizations

For example, bodies like public charities, health maintenance organizations, political parties, universities, banks, insurance companies, and similar groups are all exempted from complying with the VCDPA.

Exempted Data Sets

In addition to the list of entities excluded from its coverage, the VCDPA exempts specific categories of data. They include:

• Personal health information under the HIPAA
• Certain personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
• Certain sets of data governed by the Fair Credit Reporting Act (FCRA)
• Personal data regulated by the federal Farm Credit Act (FCA) of 1933
• Personal data collected, processed, or sold in compliance with the federal Driver's Privacy Protection Act (DPPA)
• Specific data relating to employment

Finally, if you already comply with the parental consent requirements of the Children's Online Privacy Protection Act (COPPA), you are excluded from having to comply with the CDPA's parental consent obligation.

Requirements of the Virginia Consumer Data Protection Act (VCDPA)

Now that we understand what the law is and who it applies to, let's see the requirements of Virginia's VCDPA if your business falls under its jurisdiction.

Practice Data Minimization

Under Virginia's VCDPA, you (as a controller of personal data) must minimize the volume of personal data you obtain from consumers, collecting only relevant, adequate, and reasonably necessary information.

Additionally, unless you obtain consumer consent, you must not process personal data beyond the purpose for which it is meant.

The bottom line here is to collect only relevant, necessary information and ensure it is processed or used for the pre-established purpose.

Have a Privacy Notice

The VCDPA requires you to provide consumers with a clear, meaningful, and logically accessible Privacy Notice (aka a Privacy Policy). If you already have one in place, it should be updated to satisfy the requirements of the law.

Your Privacy Notice should include:

• The categories of personal information you process
• The reasons for processing them
• The rights users have over their data, and how they may exercise them
• The type of personal information you share with third parties (if any)
• The categories of third parties (if any) with whom you share personal data

Facebook meets this requirement by providing a detailed Data Policy that outlines the listed points above:

Here's how Snap Inc. also provides the required information in its Privacy Policy:

Have a Security Provision

Another essential requirement of the VCDPA is to develop, implement, and maintain security systems to protect the integrity, confidentiality, and accessibility of personal data.

In addition, the law states that the level of security should be relative to the volume and type of personal data being protected. In essence, the more data you process, the better the security measures you need to provide.

Here's how PayPal shows compliance with the security provision requirement of the VCDPA:

Obtain Consent

A major requirement of the VCDPA is to obtain consumers' approving consent before attempting to process their personal or sensitive data.

If the consumer is a known child (i.e., a minor), you must adhere to the parental consent requirement of the VCDPA, unless you already comply with the COPPA as previously stated.

Here's how Google complies with the consent requirement provision in its Privacy Policy:

Disclose Consumer Rights

Finally, the VCDPA requires you to inform consumers of their rights under the law and how they may exercise them.

These rights should be properly displayed in your Privacy Policy for consumers' convenience. You should also refrain from discriminating against consumers who wish to exercise their privacy rights.

Spokeo complies with this obligation in its Privacy Policy for EU Data Subjects as shown below:

Summary

Although the VCDPA is not scheduled to take effect until January 1, 2023, now is a good time to set up or review your Privacy Policy if your business is subject to the law.

With the VCDPA's introduction, more and more states are starting to contemplate data protection laws to make consumers true owners of their personal information.

In a statement, State Sen. David W. Marsden, D-Fairfax (a sponsor of the VCDPA) said:

"This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers."

Here's a quick refresher to help you find out if the VCDPA applies to you.

Consider the following questions:

• Is your company based in Virginia?
• Do you offer products or services targeted at Virginia residents?
• Do you control or process the personal data of more than 100,000 consumers in a calendar year?
• Do you control or process the personal data of more than 25,000 consumers?
• Do you obtain over half of your gross revenue from selling personal information?

In light of the above, if your business falls under the VCDPA's scope, you must comply with the requirements listed in this article. Failure to do so may result in a fine of up to $7,500 for each violation by the Virginia State Attorney General.