Virginia Consumer Data Protection Act To Become Effective in 2023

Virginia Consumer Data Protection Act: Definitions and Coverage

The Virginia Consumer Data Protection Act regulates the commercial use of consumer personal data. To qualify as a regulated entity under the Virginia Consumer Data Protection Act, an entity must either conduct business in Virginia or market its goods and services to Virginia residents. 

The entity must also either:

• Control or process the personal data of at least 100,000 Virginia residents; or
• Control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data.

The Virginia Consumer Data Protection Act contains the following definitions:

• Consumer. A consumer is defined as a natural person who is a resident of Virginia, acting only in an individual or household context. It does not include an individual acting in a commercial or employment context.
• Controller. A controller is a person or entity that, alone or jointly with others, determines the purpose and means of processing personal data.
• Personal data. Personal data means any information linked or reasonably linkable to an identified or identifiable individual. Examples of personal data include name, age, address, phone number, and email address. “Personal data” does not include de-identified data or publicly available information.
• Processor. A processor is an entity that processes personal data on behalf of a controller. The controller-processor relationship is analogous to the HIPAA covered entity-business associate relationship; in each instance, one entity (in the case of HIPAA, the business associate) is handling protected information on behalf of another. 
• Sale of personal data. “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party. 
• Sensitive data. Sensitive data is personal data that includes:
  • Data revealing racial or ethnic origin
  • Data revealing religious beliefs
  • Data revealing mental or physical health diagnosis
  • Data revealing the sexual orientation of an individual
  • Data revealing the citizenship or immigration status of an individual
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data

How Does the Virginia Consumer Data Protection Act Further Consumer Privacy?

The Virginia Consumer Data Protection Act imposes the following responsibilities on controllers:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the data is processed.
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Data security practices must be appropriate for the volume and sensitivity of the personal data.
• Conduct and document a data protection assessment of each of the following processing activities involving personal data:
  • The processing of personal data for purposes of targeted advertising
  • The sale of personal data
  • The processing of sensitive data
  • Any processing activities involving personal data that present a heightened risk of harm (financial, physical, or reputational harm) to consumers
• Give consumers a privacy notice that includes:
  • The categories of personal data processed by the controller
  • The purpose for processing personal data
  • How consumers may exercise their rights under the VCDPA
  • The categories of personal data that the controller shares with third parties
  • The categories of third parties with whom the controller shares personal data

What Rights Does the Virginia Consumer Data Protection Act Give Consumers?

A consumer may submit a request to a controller at any time, to invoke one or more of the following rights:

• Confirmation of whether the controller is processing the consumer’s personal data and access to that data
• Correcting inaccuracies related to the consumer’s personal data
• Deleting personal data
• Obtaining a copy of the consumer’s personal data provided by the consumer to the controller
• Opting out of the processing of the personal data for targeted data, sale of personal data, or profiling

Once a consumer makes a request invoking these rights, the controller must respond to the consumer without undue delay, but in no event later than 45 days from receipt of the request. If a controller denies a request, the controller must inform a consumer of the denial within 45 days of receipt of the request. The controller must give the reason for the denial and provide instructions for appeal. The controller must also develop a formal appeals process.

If an appeal is denied, the controller must provide the consumer with a mechanism to contact the Attorney General to submit a complaint.

Virginia Consumer Data Protection Act: HIPAA Safe Harbor

Under HIPAA, protected health information is exempt from the VCDPA’s data protection requirements. In other words, the Act does not specifically regulate PHI. Covered entities and business associates governed by the HIPAA privacy, security, and breach notification rules are also exempt from the VCDPA.

Virginia Consumer Data Protection Act: Enter the Enforcer

The Virginia Attorney General investigates complaints of potential violations of the VCDPA. If the AG has reasonable cause to believe the law has been, is, or is about to be violated, the AG is empowered to bring a lawsuit, in the name of the state, for civil penalties. The AG can recover up to $7,500 for each violation.