Virginia Consumer Data Protection Act To Become Effective in 2023

Virginia Consumer Data Protection Act 2023

In 2021, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (“VCDPA”). The Virginia Consumer Data Protection Act is the second state comprehensive data privacy law; California’s Consumer Privacy Act of 2018 (CCPA) was the first. The VCDPA becomes effective on January 1, 2023.  Details of the Virginia Consumer Data Protection Act are provided below.

Virginia Consumer Data Protection Act: Definitions and Coverage

The Virginia Consumer Data Protection Act regulates the commercial use of consumer personal data. To qualify as a regulated entity under the Virginia Consumer Data Protection Act, an entity must either conduct business in Virginia or market its goods and services to Virginia residents. 

The entity must also either:

  • Control or process the personal data of at least 100,000 Virginia residents; or
  • Control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data.

The Virginia Consumer Data Protection Act contains the following definitions:

  • Consumer. A consumer is defined as a natural person who is a resident of Virginia, acting only in an individual or household context. It does not include an individual acting in a commercial or employment context.
  • Controller. A controller is a person or entity that, alone or jointly with others, determines the purpose and means of processing personal data.
  • Personal data. Personal data means any information linked or reasonably linkable to an identified or identifiable individual. Examples of personal data include name, age, address, phone number, and email address. “Personal data” does not include de-identified data or publicly available information.
  • Processor. A processor is an entity that processes personal data on behalf of a controller. The controller-processor relationship is analogous to the HIPAA covered entity-business associate relationship; in each instance, one entity (in the case of HIPAA, the business associate) is handling protected information on behalf of another. 
  • Sale of personal data. “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party
  • Sensitive data. Sensitive data is personal data that includes:
    • Data revealing racial or ethnic origin
    • Data revealing religious beliefs
    • Data revealing mental or physical health diagnosis
    • Data revealing the sexual orientation of an individual
    • Data revealing the citizenship or immigration status of an individual
    • The processing of genetic or biometric data for the purpose of uniquely identifying an individual
    • Personal data collected from a known child
    • Precise geolocation data

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance