Virginia’s new Consumer Data Protection Act (“VCDPA”) was signed into law on March 2, 2021 and took effect on January 1, 2023. We have rounded up everything consumers need to know about the impact the VCDPA may have on them.
Who does the VCDPA apply to?
The VCDPA applies to businesses that either:
- Conduct business in Virginia or
- Produce products or services that are targeted to residents of Virginia and that, during a calendar year:
- Control or process personal data of at least 100,000 consumers; or
- Control or process personal data of at least 25,000 consumers and derive over 50% of its gross revenue from the sale of personal data.
Who is exempt from the VCDPA?
The VCDPA exempts:
- Any “body, authority, board, bureau, commission, district, or agency” of Virginia or any of its political subdivisions.
- Financial or data institutions subject to the federal Gramm-Leach-Bliley Act.
- Covered entities or business associates governed by HIPAA or the HITECH Act.
- Nonprofit organizations.
- Institutions of higher education.
Who does the VCDPA protect?
The VCDPA is designed to protect consumers in an individual or household context. The VCDPA does not include a person acting in a commercial or employment context.
What types of data does the VCDPA include?
- Personal data: any information that is linked or reasonably linkable to an identified or identifiable person. This does not include de-identified data or publicly available information.
- Sensitive data: this is a category of personal data that includes one of the following:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
- The personal data collected from a known child.
- Precise geolocation data.
- Biometric Data: data generated by automatic measurements of an individual’s biological characteristics (i.e. fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual). This does not include a physical or digital photograph, a video or audio recording (or data generated therefrom), or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.
How does the VCDPA protect consumers?
The VCDPA provides consumers with certain rights, such as the right to:
- Confirm whether a business is processing the consumer’s personal data.
- Correct inaccuracies in the consumer’s personal data.
- Delete personal data provided by or obtained about the consumer.
- Obtain access to and a copy of the consumer’s personal data.
- Opt-out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
In addition to creating certain rights, the VCDPA protects consumers by requiring the following of businesses:
- Notice. Businesses must provide consumers with an accessible, clear, and meaningful privacy notice which tells them:
- What personal data is collected.
- The purpose for the processing of personal data.
- The categories of personal data shared with third parties.
- The categories of third parties with whom the controller shares personal data.
- How consumers may exercise their personal rights under the VCDPA.
- Disclosures. A business must disclose its intent to sell data to third parties or to process personal data for targeted advertising and must explain how the consumer can opt out.
- Limits data collection. The VCDPA limits personal data collection to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed, unless consent is obtained from the consumer.
- Security. The VCDPA requires businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the personal data. Businesses are also required to conduct data protection assessments on certain processing activities involving personal data. The VCDPA emphasizes reasonableness, thus, the security practices should be appropriate to the volume and nature of the personal data at issue.
- Anti-Discrimination. The VCDPA prohibits businesses from discriminating against consumers for exercising any of their rights under the Act. For example, a business cannot deny a consumer goods or services, charge different prices/rates, or provide a different quality of goods or services to a consumer because he or she chose to opt out of the processing of personal data or correct an inaccuracy in personal data.
How do consumers exercise their rights under the VCDPA?
- Initial Request. Covered businesses must establish and describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their rights. Once a consumer submits a request, businesses have 45 days to respond, which may be extended for an additional 45 days when reasonably necessary, provided the controller informs the consumer of the extension and the reason therefor within the initial 45-day period.
- Appeals. If the business declines to take action, it must inform the consumer of its justification and instructions on how to appeal the decision. Within 60 days of receipt of an appeal, a business must inform the consumer, in writing, of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller must also provide the consumer with information on how the consumer can submit a complaint to the Attorney General.
- Costs. Any information provided by a business to a consumer in response to a consumer request must be provided free of charge, up to twice annually per consumer. However, if requests from a consumer are “manifestly unfounded, excessive, or repetitive,” the business may decline to act on the request or charge the consumer a reasonable fee to cover the administrative costs of complying with the request.
How is the VCDPA enforced?
The VCDPA provides no private right of action – the Virginia Attorney General has exclusive enforcement authority. Violators are allowed a 30-day cure period to correct violations.
What are the penalties for violations of the VCDPA?
Penalties include injunctive relief and fines of up to $7,500 for each violation.