Virginia recently joined California in enacting a comprehensive data protection law intended to protect the privacy of its residents. The Virginia Consumer Data Protection Act (the “VCDPA”) is scheduled to take effect on January 1, 2023, so impacted businesses have significant lead time to prepare. This is the first of two posts covering the VCDPA.
The VCDPA has two main goals: (1) providing Virginia residents with expanded rights in connection with their personal data, and (2) imposing obligations on businesses, such as securing personal data, limiting use of personal data to disclosed purposes, and flowing down requirements to processors receiving personal data. While many of the details differ, the overall approach of the VCDPA is very reminiscent of the European Union’s General Data Protection Regulation (“GDPR”) but without some of the more prescriptive elements. Businesses with existing GDPR or California Consumer Privacy Act (“CCPA”) compliance programs will be well positioned for VCDPA compliance.
The VCDPA incorporates a number of familiar concepts from the GDPR. Controllers under the VCDPA are a business that alone or jointly with others determines the purposes and means of processing personal data. Process means manual or automated operations on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data. In contrast to the GDPR, mere access to personal information is not deemed to be processing. A processor is, not surprisingly, an entity that processes personal data on behalf of a controller.
The VCDPA allows consumers to (i) confirm whether a controller is processing the consumer’s personal data and to access the personal data; (ii) correct inaccuracies in the personal data, taking into account, however, the nature of the personal data and the purposes of the processing of the consumer’s personal data; (iii) delete the personal data, whether the personal data was provided by the consumer or was otherwise obtained about the consumer; (iv) obtain a copy of personal data previously provided by the consumer to the controller in a portable and, if technically feasible, readily usable format that allows the consumer to provide the data to another controller without hindrance, where the processing is carried out by automated means; (v) opt out of (a) targeted advertising, (b) the sale of personal data, or (c) profiling in furtherance of decisions that produce legal or other significant effects. Controllers have 45 days to respond to a consumer request, which can be extended for another 45 days if the controller notifies the consumer and provides a reason for the extension.
The VCDPA applies to businesses that control or process personal data of at least (ii) 100,000 Virginia residents (referred to as “consumers” in the statute), or (ii) 25,000 consumers if the business derives at least 50% of its gross revenue from the sale of personal data.
Controllers are subject to a number of general requirements. They may not collect more information than is adequate, relevant, and reasonably necessary for the purposes that the data is processed, which must be disclosed to the consumer. Controllers may only process personal data for purposes that are reasonably necessary and compatible with the purposes disclosed to the consumer, unless the controller obtains the consumer’s consent. Additionally, controllers must implement and maintain reasonable administrative, technical and physical security controls to protect the confidentiality, integrity and accessibility of personal data.
Personal data means any information that is linked or is reasonably linkable to an identified or identifiable natural person, excluding de-identified data or publicly available data. An identified or identifiable natural person is a person who can readily be identified, directly or indirectly. De-identified data means data that cannot be reasonably linked to an identified or identifiable natural person or a device linked to such person. Public information includes information that is lawfully made available through federal, state, or local government records, or information reasonably believed to be lawfully made available to the general public through widely distributed media by the consumer or a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience. Virginia’s exception public information exception is broader than the exception contained in the CCPA, which only covers information from government records.
Sale of personal data means the exchange of personal data for monetary consideration by the controller to a third party, excluding the disclosure of personal data (i) to a processor that processes the personal data on behalf of the controller; (ii) to a third party for purposes of providing a product or service requested by the consumer; (iii) to an affiliate of the controller; (iv) that the consumer (a) intentionally made available to the general public via a channel of mass media and (b) did not restrict to a specific audience; or (v) to a third party as an asset in a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets. In contrast to the CCPA, the VCDPA requires monetary consideration for the disclosure of personal data to constitute a sale.
The VCDPA in its entirety does not apply to (i) financial institutions subject to the Gramm-Leach-Bliley Act; (ii) covered entities or business associates subject to the Health Insurance Portability and Accountability Act or Health Information Technology for Economic and Clinical Health Act (together, “HIPAA”); (iii) non-profit organizations; and (iv) higher education institutions. Additionally, business contact information as well as information protected under HIPAA, as well as a number of other federal statutes, such as the Family Educational Rights and Privacy Act (“FERPA”) and the Fair Credit Reporting Act (“FCRA”), are not subject to the VCDPA.
Processing sensitive data requires the consent of the consumer. Sensitive data means (i) personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data for the purpose of uniquely identifying a person; (iii) personal data collected from a known child, or (iv) precise geolocation data. Consent requires a clear affirmative act indicating a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data, another requirement that is similar to the GDPR.