What is the Virginia Consumer Data Privacy Act?

The California Consumer Protection Act (CCPA), which became law in 2018, was the nation’s first comprehensive consumer data privacy law. Virginia recently passed similar legislation in March of 2021. The Virginia data privacy law is called the Consumer Data Protection Act (CDPA). This data privacy law takes effect on July 1, 2023. The CDPA, like the CCPA, imposes data privacy obligations on businesses, and gives state residents more control over their personal data. More details about the CDPA, including who is exempt from its data privacy provisions, are provided below.

Who is Covered by the Virginia Consumer Data Privacy Act?

Virginia Consumer Data Protection Act

The CDPA applies to businesses that: (1) control or process personal data of more than 100,000 Virginia residents acting in individual and household context or (2) control or process personal data of at least 25,000 consumers and derive over 50% of revenue from the sale of personal data. The law excludes data collected in an employment or business-to-business context. A “business to business” transaction is a transaction made between two companies, as opposed to a transaction between an individual and a company.

Rights and Responsibilities Under the Virginia Consumer Data Privacy Act

The CDPA imposes data privacy obligations on data controllers and processors. The law defines controllers as entities that determine the purpose and means of processing information.  Processors, by contrast, are entities that process personal data on behalf of a controller. Processing activities include (among other things) sale of personal data, targeted advertisement, or profiling of data. Profiling of data is the collection of personal data and inferences made for the purpose of predicting user behavior.

The law provides consumers with six main rights with respect to their personal information. Under the law, a consumer is a “natural person who is a Virginia resident.” The CDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The CDPA provides special privacy protection for “sensitive data.”  

Sensitive data is defined as a category of personal data that includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • Genetic or biometric data for the purpose of uniquely identifying a natural person;
  • Personal data collected from a known child; or 
  • Precise geolocation data. 

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

The CDPA data privacy law places several responsibilities on controllers, including:

Limits on data collection and use.

The CDPA requires that data controllers limit personal data collection to what is adequate, relevant, and reasonably necessary for the purpose for which the data is processed. If a controller wants to process personal data for a purpose that is not necessary, the consumer must consent to the processing. 

Reasonable security practices.

Data controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The scope of these protections should take into account the volume and nature of the personal data at issue, including whether the data is sensitive. 

Consent for Processing Sensitive Data.

Before a controller can process any sensitive data of a consumer, the Virginia data privacy law requires that the controller obtain the consumer’s consent. Consent is defined as a clear, affirmative act that indicates someone’s freely-given, specific, informed, and unambiguous agreement to processing. One example of an “affirmative act” is a consumer’s writing out a statement that gives consent.  

Data Processing Agreements (DPAs).

Similar to how HIPAA covered entities must enter into business associate agreements with business associates for protection of PHI and ePHI, the Virginia data privacy law requires that controllers enter into DPAs with their data processors. The DPA must clearly set forth the following:

  • Instructions for how data is to be processed;
  • The nature and purpose of the processing;
  • The duration of the processing; and
  • The rights and obligations of both parties. 

As is the case with a HIPAA business associate agreement, the CDPA requires that specific language relating to these elements be included in the agreement.

Privacy Notice.

A privacy notice is an element of the CCPA and the GDPR. The CDPA has adopted a privacy notice requirement, following these other laws’ examples. Under the Virginia data privacy law, a data controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: 

  • The categories of personal data processed by the controller; 
  • The purpose for processing personal data; 
  • How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; 
  • The categories of personal data that the controller shares with third parties, if any; and 
  • The categories of third parties, if any, with whom the controller shares personal data. 

Notice of Sale.

Just as HIPAA regulates the sale of protected health information, the CDPA regulates the sale of personal data by controllers to third parties. The CDPA also regulates the processing of personal data for targeted advertising. Controllers engaged in sales or targeted advertising activities must disclose these activities in the privacy notice. In addition, controllers must provide consumers an opportunity to opt out of such activities.

Consumer Request Process.

Controllers must provide consumers with one or more secure means of communication, through which consumers can submit a request to exercise their CDPA rights. The data privacy law does not dictate any one particular method of communication (i.e., internet, email, mail), but rather specifies that the means to be offered must take into account how consumers normally communicate with the controller, and must take into account the need for secure and reliable communication of the requests.

Data Protection Assessment.

A data protection assessment is similar to the HIPAA Security Rule security risk analysis. The CDPA requires controllers to conduct and document a data protection assessment for certain processing activities. These activities include:

  • The sale of personal data;
  • The processing of personal data for purposes of targeted advertising or profiling;
  • The processing of sensitive data; and
  • Any processing activities involving personal data that present a heightened risk of harm to consumers.

Data protection assessments must identify and weigh the benefits to the business of processing consumers’ data, against potential risks to consumers associated with the processing. 

What Are Processors’ Obligations Under the CDPA?

Under the CDPA, data processors are required to:

  • Follow the lawful instructions of their controllers;
  • Implement appropriate technical and organizational measures to help the controller respond to consumer requests; and
  • Provide the necessary information for controllers to comply with their data protection assessment obligations.

Six Consumer Rights Dictated by the CDPA

The Virginia data privacy law gives Virginia consumers six specific rights. 

These include:

  • The right to access. Under the right to access, consumers have the right “to confirm whether or not a controller is processing the consumer’s personal data and to access such personal data.” 
  • The right to correct. Under the right to correct, consumers must be given the opportunity to correct inaccuracies in their personal data. This right is similar to the HIPAA right to request amendment of PHI.
  • The right to delete. Under the Virginia data privacy law, consumers have the right to delete personal data provided by or obtained about them. 
  • The right to data portability. The right to data portability allows consumers to obtain a copy of data they previously provided to a controller, in a portable and readily usable format. 
  • The right to opt out. Under the right to opt out, consumers can indicate that they do not want their data to be processed for purposes of advertising, sale, or profiling.
  • The right to non-discrimination. Virginia consumers may not be discriminated against in the exercise of rights 1 through 5, above.

The Virginia Consumer Data Privacy Act and the HIPAA Safe Harbor Exemption 

HIPAA “covered entities,” HIPAA “business associates,” and HIPAA “protected health information,” are all exempted from the CDPA’s requirements. That means HIPAA covered entities, business associates, and the PHI that these entities must protect, are not subject to the requirements of the CDPA.

Meet All Your HIPAA Requirements

Our software provides everything you need to satisfy state and federal HIPAA laws.

Global CTAs Image