VCDPA: An Overview of the Virginia Consumer Data Protection Act 

Posted in Guide Posted on
VCDPA: An Overview of the Virginia Consumer Data Protection Act 

Are you curious to know about the Virginia Consumer Data Protection Act (VCDPA)?

Consumer data is a valuable asset, often bought and sold for various purposes, thereby raising concerns about privacy and protection. In response, states throughout the United States have implemented data privacy regulations. 

One of these regulations is the Virginia Consumer Data Protection Act (VCDPA). The main aim of this law is to grant Virginia residents greater authority over their personal information. 

Whether you are a consumer looking to understand your rights or a business trying to navigate the complexities of this new legal terrain, this blog will be a valuable resource for staying well-informed and compliant.

This blog offers a comprehensive overview of the VCDPA’s main provisions, the rights it grants to consumers, and business compliance requirements. 

Want to create a privacy policy to comply with Virginia users? Grab the WP Legal Pages compliance platform.

Table Of Contents

What is the VCDPA Law?

VCDPA law

The Virginia Consumer Data Protection Act (VCDPA) is a notable privacy law in the United States that regulates the handling of personal data of individuals residing in Virginia. It aims to improve consumer privacy safeguards and grant individuals greater authority over personal information.

The VCDPA concept was introduced in the Virginia General Assembly as part of a broader push for more robust data privacy protections in the United States. This movement gained traction after the European Union’s General Data Protection Regulation (GDPR) was enacted in 2018, and the California Consumer Privacy Act (CCPA) was passed in 2018 and became effective in 2020.

Virginia Governor Ralph Northam signed the VCDPA into law on March 2, 2021, making Virginia the second state in the U.S. to implement a comprehensive consumer data privacy law, following California.

The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021. It took effect on January 1st, 2023, the same day as California’s Consumer Privacy Rights Act (CPRA), the second data privacy law in that state.

The VCDPA is comprehensive privacy legislation at the state level that safeguards the personal data of Virginia’s 8.7 million residents. 

It oversees the collection and processing of consumers’ data, including their consent to— or opting out of its use and requests related to consumers’ privacy rights.

Key Definitions and Terms under VCDPA 

The Virginia Consumer Data Protection Act (VCDPA) is comprehensive data privacy legislation that confidently regulates businesses’ handling of personal data. 

It’s essential for everyone to familiarize themselves with the following key terms:

1. Personal Data

Data that can be connected to a known or identifiable individual. Excludes publicly available information and de-identified data.

2. Controller

“A natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.”  Controllers must ensure that personal data processing complies with the VCDPA and implement data protection principles.

3. Processor

“An individual or legal entity that handles personal data on behalf of a controller.”  Processors must adhere to the controller’s instructions and aid in meeting data protection responsibilities.

4. Processing

Another critical term defined in the VCDPA is processing, which refers to the actions taken with or on consumers’ data once it has been gathered. The law defines processing as ” any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”

5. Consumer

According to Virginia privacy law, a consumer is “a natural person who is a resident of the Commonwealth of Virginia acting only in an individual or household context.” It does not include a person acting in a commercial or employment context.

6. Sale

The Virginia data privacy act defines sale as “the exchange of personal data for monetary consideration by the controller to a third party.”

It doesn’t include transactions that reveal personal data:

  • Processor working on behalf of the controller
  • Third-party as part of a merger, acquisition, bankruptcy, or other transaction
  • Third-party to provide a product or service that the consumer has requested
  • Affiliate of the controller
  • That the consumer intentionally made public without restriction (for example, on social media with minimal or no privacy settings enabled)

The consent is “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, a statement written electronically, or any other unambiguous affirmative action.”

Virginia’s legislation mainly functions with an opt-out approach, indicating that businesses usually don’t have permission before handling consumer data. 

Businesses must get explicit opt-in consent in particular situations detailed in the VCDPA and they are:-

  • If the declared purpose for data processing changes, 
  • If the data is classified as sensitive, 
  • And if the data belongs to a known child (under age 13).

8. Profiling 

Under Virginia data privacy laws, profiling is “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

This definition covers various activities that one could employ to create profiles of people and make decisions based on these profiles.

9. Targeted Advertising

Targeted advertising refers to showing ads to an individual based on personal data gathered from that person’s online activities across various websites or apps to anticipate their preferences or interests. 

This does not cover ads tailored to a person’s current search, website visit, or online application.

Overview of the Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive privacy law enacted to protect the data privacy rights of Virginia residents. Signed into law on March 2, 2021, and effective January 1, 2023, the VCDPA establishes robust guidelines for businesses handling personal data. It aims to balance consumer privacy with business operations while aligning with global data protection trends. Below is an overview of its key features:

1. Applicability

The VCDPA applies to entities conducting business in Virginia or producing products and services targeted at Virginia residents, provided they meet one of the following criteria:

  • Process or control the personal data of at least 100,000 Virginia residents annually.
  • Derive 50% or more of gross revenue from the sale of personal data while controlling or processing the personal data of at least 25,000 residents.

Exemptions:
The law does not apply to:

  • Government agencies.
  • Nonprofit organizations (with some exceptions, such as those providing healthcare services).
  • Higher education institutions.
  • Businesses are already subject to specific federal laws like HIPAA or GLBA.

2. Key Definitions

  • Personal Data: Information linked or reasonably linkable to an identifiable individual, excluding publicly available and de-identified data.
  • Sensitive Data: Includes racial or ethnic origin, religious beliefs, health data, sexual orientation, biometric data, and data on minors.
  • Sale of Data: Exchange of personal data for monetary consideration.

3. Consumer Rights

Virginia residents are granted specific rights over their data:

  1. Right to Access:
    Consumers can confirm whether their data is being processed and access a copy of their data.
  2. Right to Correction:
    Consumers can correct inaccuracies in their data.
  3. Right to Deletion:
    Consumers can request the deletion of their data under certain conditions.
  4. Right to Portability:
    Consumers can receive their data in a portable and machine-readable format.
  5. Right to Opt-Out:
    Consumers can opt out of:
    • Targeted advertising.
    • Sale of personal data.
    • Profiling that produces significant legal or similar effects.

4. Business Obligations

Businesses subject to the VCDPA must:

  • Provide Transparency: Disclose data collection and usage practices in a clear, accessible privacy policy.
  • Obtain Consent for Sensitive Data: Explicit consent is required before processing sensitive data.
  • Implement Data Security Measures: Protect personal data with appropriate technical and organizational measures.
  • Conduct Data Protection Assessments: Evaluate high-risk processing activities, including targeted advertising, profiling, and processing sensitive data.

5. Enforcement

  • The Virginia Attorney General is responsible for enforcing the VCDPA.
  • Businesses are provided a 30-day cure period to address violations upon notice.
  • Penalties include fines of up to $7,500 per violation and recovery of investigation costs.

6. Exemptions and Industry Alignment

The VCDPA excludes specific data and entities already covered under federal laws, such as:

  • Health Insurance Portability and Accountability Act (HIPAA).
  • Gramm-Leach-Bliley Act (GLBA).
  • Children’s Online Privacy Protection Act (COPPA).

This ensures the VCDPA does not duplicate regulations or impose unnecessary burdens on businesses already adhering to other frameworks.

7. Comparisons with Other Laws

The VCDPA shares similarities with laws like the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR), but it is narrower in scope and applicability. It emphasizes consumer rights without creating additional burdens for small businesses and nonprofits.

To Whom Does the Virginia Privacy Law Apply? 

The Virginia Consumer Data Protection Act (VCDPA) applies to businesses operating in Virginia or providing products or services to Virginia residents seeking to make a profit. 

To meet the criteria for coverage under the VCDPA, a business must fulfill one of the following requirements:

1. Manage or handle the personal data of a minimum of 100,000 consumers annually:

This means the business must directly access and control the personal data of at least 100,000 individuals living in Virginia. This includes data collected directly from consumers and data obtained from third-party sources.

2. Manage or handle the personal data of a minimum of 25,000 consumers and derive over 50% of gross revenue from the sale of personal data annually:

This applies to businesses that process the personal data of at least 25,000 Virginia residents and earn a substantial portion of their revenue by selling this data to third parties. This includes businesses involved in data brokering, advertising technology, or other activities that involve commercializing personal data.

It’s important to note that the VCDPA only applies to for-profit entities that meet the specific criteria outlined above.

Understanding the application of the Virginia data privacy law can help businesses comply with the law and protect the privacy of Virginia consumers.

Differences Between VCDPA and Other Data Privacy Laws

The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive privacy law enacted to protect the data privacy rights of Virginia residents.

While it shares similarities with other privacy laws like the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), General Data Protection Regulation (GDPR), and others, it also has distinct differences. Below is a detailed comparison of VCDPA with other major privacy laws:

1. Scope and Applicability

  • VCDPA:
    This applies to businesses that:
    • Control or process personal data of at least 100,000 Virginia residents annually or
    • Derive 50% or more of gross revenue from the sale of personal data while controlling or processing data of at least 25,000 residents.
      Nonprofits, except those focused on health services or higher education, are largely exempt.
  • CCPA/CPRA (California):
    This applies to for-profit businesses that:
    • Have gross annual revenues exceeding $25 million,
    • Buy, sell, or share personal information of 50,000 or more California residents, households, or devices, or
    • Derive 50% or more of annual revenue from selling personal information.
      Nonprofits and smaller entities may also be affected if they process data on behalf of large businesses.
  • GDPR (European Union):
    Has a global reach, applying to entities processing the personal data of EU residents regardless of the organization’s location. It applies to businesses with:
    • An establishment in the EU,
    • Offer goods/services to EU residents or
    • Monitor behavior within the EU.
      No specific thresholds are required, making it broader in applicability than VCDPA.

2. Personal Data Definition

  • VCDPA:
    Defines personal data as any information linked or reasonably linkable to an identifiable individual. It excludes publicly available information and de-identified data. Sensitive data, such as biometric, health-related, or racial/ethnic data, requires explicit consent for processing.
  • CCPA/CPRA:
    Broadly defines personal information as data that identifies relates to, or could reasonably be linked to an individual or household. It includes unique identifiers such as IP addresses and device IDs but does not require consent to process sensitive data.
  • GDPR:
    Personal data includes any information relating to an identifiable person, encompassing a broader spectrum than VCDPA. Sensitive personal data, such as health, genetic, or political information, has stricter rules and requires specific legal bases for processing.

3. Consumer Rights

  • VCDPA:
    Provides the following rights:
    • Access: Right to view collected personal data.
    • Correction: Right to correct inaccuracies.
    • Deletion: Right to request deletion of personal data.
    • Portability: Right to receive data in a portable format.
    • Opt-Out: Right to opt out of targeted advertising, data sales, and certain profiling activities.
  • CCPA/CPRA:
    Provides similar rights but focuses more on data sales and sharing. Rights include:
    • Access, deletion, and portability rights.
    • Opt out of selling and sharing data, especially for targeted advertising.
    • New CPRA provisions include the right to correct inaccuracies and limit the use of sensitive personal information.
  • GDPR:
    GDPR grants the most comprehensive rights, including:
    • Right to access, correct, delete, and port personal data.
    • Right to restriction and objection: Consumers can restrict processing or object to specific uses.
    • Right to withdraw consent: Ensures individuals can revoke consent for data processing.

4. Consent Requirements

  • VCDPA:
    Requires opt-in consent for processing sensitive personal data, including biometric data, health data, and data revealing race, religion, or sexual orientation.
  • CCPA/CPRA:
    Operates primarily on an opt-out basis, allowing consumers to opt out of data sales or sharing. Consent is not explicitly required for most sensitive data processing, although the CPRA introduces limitations on its use.
  • GDPR:
    Consent is a cornerstone, requiring precise, affirmative action for data processing. It must be freely given, specific, informed, and unambiguous, with strict standards for sensitive data.

5. Enforcement and Penalties

  • VCDPA:
    Enforced by the Virginia Attorney General. Businesses are given a 30-day cure period to address violations before penalties are imposed. Penalties include fines of up to $7,500 per violation.
  • CCPA/CPRA:
    Enforced by the California Attorney General and the California Privacy Protection Agency (under CPRA). The CCPA also offers a 30-day cure period. Penalties are $2,500 per violation or $7,500 for intentional violations or those involving minors.
  • GDPR:
    Enforced by Data Protection Authorities (DPAs) in the EU. Penalties are significantly higher, reaching up to €20 million or 4% of global annual revenue, whichever is greater, for serious violations.

6. Focus on Business Types

  • VCDPA:
    Excludes small businesses and nonprofits, focusing on entities with significant data-processing activities or those deriving substantial revenue from selling data.
  • CCPA/CPRA:
    This includes many small- to medium-sized businesses and nonprofit organizations indirectly due to broad applicability criteria.
  • GDPR:
    Applies universally to all entities handling EU residents’ data, regardless of size or profit status.

The VCDPA balances consumer protection and business operations, targeting companies with substantial data-processing activities and providing clear rights to Virginia residents.

What are the Rights Under the Virginia Consumer Data Protection Act (VCDPA)? 

The Virginia privacy law empowers you with essential rights regarding your data. These rights include:

1. Right to Access

You can request and review your data from a covered entity. This includes understanding the specific types of information gathered, the purposes for which it is used, and the third parties or organizations with whom it is shared.

Accessing your data empowers you to verify its accuracy and ensure it is processed lawfully and transparently.

2. Right to Correction

You can request corrections to your data if it is inaccurate or incomplete. This ensures that the information held about you is up-to-date and reflects the truth. Accurate data is critical for preventing errors in credit scoring, medical records, or employment evaluations, which might rely on this information.

3. Right to Deletion

Under certain conditions, such as when data is no longer necessary for the purposes it was collected, you can request the deletion of your data. This right also applies if the data was processed unlawfully, ensuring greater control over how your information is retained and used.

Exceptions may apply when the data is needed for legal or compliance reasons.

4. Right to Portability

You can receive your data in a structured, commonly used, and machine-readable format. This allows you to transfer your data seamlessly to another service provider or organization. Portability promotes competition and gives you flexibility to switch services without losing access to your personal information.

5. Right to Opt-Out

You can refuse the sale of your data to third parties, safeguarding your privacy and limiting commercial exploitation of your information. This right is important for protecting sensitive information and preventing targeted advertising or unwanted solicitation.

6. Right to Non-Discrimination

Exercising your privacy rights under the applicable laws should not result in discrimination against you. Covered entities are prohibited from denying services, charging different rates, or offering inferior service quality because you have chosen to exercise your data protection rights. This ensures fairness and equal treatment for all individuals.

It’s important to note that the VCDPA includes exceptions to these rights, such as when processing is necessary for the public interest or the legitimate interests of the covered entity.

Empower yourself with knowledge of your rights under the VCDPA. Understanding these rights helps you safeguard your privacy and ensure your data is handled fairly and transparently.

How to Comply With the Virginia Consumer Privacy Act?

Companies must complete several necessary actions to adhere to the Virginia Consumer Data Protection Act (VCDPA).

Understand the Law 

Determine whether your company falls under the VCDPA. The law applies to companies that oversee or handle personal data of at least 100,000 or 25,000 consumers if more than 50% of their gross revenue comes from selling personal data.

Consumer Rights

Let consumers know their rights under the VCDPA, including:

  • Right to access 
  • Right to deletion.
  • Right to correction.
  • Right to portability.
  • Right to opt out.
  • Right to non-discrimination

Data Processing and Security 

Enforce reasonable administrative, technical, and physical security measures to safeguard personal data. Ensure that data collection is restricted to what is necessary and relevant.

Transparency

Issue a clear and accessible privacy notice outlining how personal data is gathered, utilized, and shared. This notice should also outline how consumers can exercise their rights.

Data Protection Assessments

Conduct assessments for data protection concerning processing activities that pose an increased risk of harm to consumers.

To comply with VCDPA, we advise you to use the WP Legal Pages Compliance Platform.

This platform provides access to the WP Legal Pages plugin and WP Cookie Consent, which assists in generating legal documents and managing cookies for your website.

The WP Legal Pages plugin offers over 130 ready-to-use templates for quickly creating and modifying your website’s policy pages.

WP legal pages

WP Cookie Consent serves as a consent management tool to obtain explicit user consent.

WP Cookie consent

Penalties and Fines for Non-compliance of VCDPA Law

The Virginia Consumer Data Protection Act (VCDPA) imposes significant penalties on businesses that do not comply. 

Enforcement

The VCDPA can only be enforced by the Virginia Attorney General. Consumers do not have the right to take legal action.

Remedy Period

Businesses have a 30-day window to fix violations after receiving notification.

Penalties and fines

Violating the VCDPA can lead to fines of up to USD 7,500 per violation. The acceptable amount is similar to those imposed by the California and Utah laws, but it may be much lower than the fines that can be imposed under the GDPR. The GDPR fines can reach up to EU 10 million or 2% of the global annual revenue for initial violations and EU 20 million or 4% of annual revenue for subsequent violations, including repeated or more serious violations. The total amount of fines can accumulate rapidly if multiple violations are discovered.

Ensuring compliance with the VCDPA is essential to avoid these substantial penalties.

FAQ

What is VCDPA law?

The VCDPA, also known as the Virginia Consumer Data Protection Act, is a state law that gives Virginia residents more control over their personal information. This legislation requires businesses to protect consumer data and is enforced by the Virginia Attorney General.

Who does VCDPA law apply to?

The Virginia Consumer Data Protection Act applies to companies operating in Virginia that collect substantial quantities of personal information from Virginia residents.

What are the Penalties for Non-Compliance with the VCDPA?

Penalties for non-compliance with the Virginia Consumer Data Protection Act include fines of up to $7,500 per violation. Additionally, the Attorney General may seek injunctive relief to enforce compliance.

How Can Businesses Comply With the Virginia Consumer Data Protection Act Law?

To comply with the Virginia Consumer Data Protection Act (VCDPA), businesses must inform consumers of their rights under the Act and establish a process to exercise those rights. Additionally, businesses must ensure transparency in their data processing activities and implement necessary data protection measures.

Is There a Grace Period for Compliance?

Yes, the VCDPA provides a 30-day cure period for businesses to address violations before enforcement actions are taken. This allows companies to rectify non-compliance issues proactively.

How Does the VCDPA Define Sensitive Data?

Sensitive data under the VCDPA includes information related to racial or ethnic origin, religious beliefs, health data, sexual orientation, biometric data, and personal data collected from minors. Businesses must obtain explicit consent before processing such data.

Does the VCDPA Apply to Nonprofits?

Generally, the VCDPA does not apply to nonprofit organizations. However, certain types of nonprofits, such as those involved in healthcare or higher education, may be subject to the law if they process significant amounts of personal data.

Conclusion

The VCDPA is vital legislation that safeguards the privacy of Virginia residents by giving them authority over their data and placing responsibilities on companies.

It is crucial for consumers and businesses operating in Virginia to comprehend this law’s main aspects, entitlements, and adherence obligations.

By staying informed and being proactive, individuals and businesses can help preserve privacy and cultivate confidence in the digital era.

If you liked reading this article, you might also like:

Do you want to design a beautiful cookie consent banner or a detailed privacy policy for your website? Grab the WP Legal Pages Compliance Platform now!