From Coast to Coast: Virginia Passes First Consumer Data Protection Act Since the CCPA

March.03.2021

Following in the footsteps of the California Consumer Privacy Act (CCPA), the Commonwealth of Virginia has become the second U.S. state to enact comprehensive consumer data protection legislation. The Virginia Consumer Data Protection Act (VCDPA) was signed into law by Governor Ralph Northam yesterday on March 2, 2021. The VCDPA will become effective on January 1, 2023, right alongside the recently enacted California Privacy Rights Act (CPRA), which significantly amended the CCPA (additional information on the CPRA can be found here). The following is a brief description of the VCDPA’s key components. Keep an eye out for a forthcoming article outlining the most important differences between the VCDPA and the CPRA.

Who Is Required to Comply?

Controllers and Processors

The VCDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:

during a calendar year, control or process personal data of at least 100,000 Virginia residents; or
control or process personal data of at least 25,000 Virginia residents and derive more than 50 percent of gross revenue from the sale of personal data. § 59.1-572.A

Like the European Union’s General Data Protection Regulation (GDPR), the VCDPA distinguishes between controllers and processors:

A controller is the natural or legal person that, alone or jointly with others, determines the purpose and means (i.e., the why and the how) of processing personal data. § 59.1-571
A processor is the natural or legal entity that processes personal data on behalf of the controller. § 59.1-571

Statutory Exemptions

Through the definition of “consumer” and other provisions, the VCDPA generally does not apply to information about a natural person acting in a commercial (B2B) or employment context (including emergency contact information and benefits information). §§ 59.1-571; 59.1-572.C.14. It is important to note that unlike the CCPA, there is no sunset period for this exemption.

The VCDPA further does not apply to (i) non-profit organizations; (ii) institutions of higher education; (iii) Virginia government entities; (iv) financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); (v) covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA), nor any protected health information under HIPAA and certain other regulated health information; and (vi) processing of information pursuant to the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), Family Educational Rights and Privacy Act (FERPA), and Farm Credit Act (FCA). § 59.1-572

The VCDPA also contains a number of additional limitations on the authority of the VCDPA that are beyond the scope of this article. § 59.1-578

What Information Is Protected?

Personal Data

The VCDPA protects “Personal Data,” which is defined broadly to mean any information that is linked or reasonably linkable to an identified or identifiable natural person. § 59.1-571

The Act delineates “Sensitive Data” as a separate category of personal data, which includes: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal data collected from a known child under the age of 13; or precise geolocation data (any information derived from technology that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet). § 59.1-571

Personal data under the VCDPA does not include:

De-Identified Data, which is data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person. § 59.1-571
Publicly Available Information, which includes information lawfully made available from government records and information the controller or processor has a reasonable basis to believe is lawfully made available to the general public under certain circumstances. § 59.1-571

The VCDPA also excludes “Pseudonymous Data” from certain controller obligations (excluding Sensitive Data Restrictions) and certain consumers rights (excluding Opt-Out Rights) provided the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 59.1-577.D

What Obligations Do Controllers Have?

The VCDPA requires a controller to:

Consumer Notice: Provide consumers with a reasonably accessible, clear and meaningful privacy notice about the controller’s privacy practices and consumer’s rights. § 59.1-574.C
Collection Limitation: Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. § 59.1-574.A.1
Purpose Limitation: Not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, unless the controller obtains the consumer’s consent or an exception applies. § 59.1‑574.A.2
Sensitive Data Restriction: Not process sensitive data concerning a consumer without obtaining the consumer’s consent. § 59.1-574.A.5
De-Identified Data Requirements:
- Take reasonable measures to ensure that the data cannot be associated with a natural person;
- Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
- Contractually obligate any recipients of de-identified data to comply with these requirements. § 59.1-577
Reasonable Security: Establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data, which are appropriate to the volume and nature of the personal data at issue. § 59.1-574.A.3
Data Protection Assessments: Conduct and document a data protection assessment for:
- The processing of personal data for purposes of targeted advertising;
- The sale of personal data;
- The processing of personal data for purposes of profiling that presents certain reasonably foreseeable risks to the consumer;
- The processing of sensitive data; and
- Any processing activities involving personal data that present a heightened risk of harm to consumers. § 59.1-576
No Discrimination:
- Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. § 59.1-574.A.4
- Not discriminate against a consumer for exercising any of the consumer rights granted by the VCDPA, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer (with qualified exceptions for when a consumer exercises their right to opt out or is voluntarily participating in a bona fide loyalty, rewards, premium features, discounts or club card program). § 59.1-574.A.4
Processor Contracts: Enter into a contract with any processor, which among other things sets forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.§ 59.1-575.B

What Obligations Do Processors Have?

The VCDPA requires processors to:

Comply with Instructions: Adhere to the instructions of a controller. § 59.1-575.A.
Provide Assistance to the Controller: Assist the controller in meeting its obligations under the VCDPA, including in relation to (i) consumer rights requests, (ii) protecting personal data and reporting any breach of personal data and (iii) data protection assessments. § 59.1-575.A
Controller Contracts: Enter into the necessary contract with the controller. § 59.1-575.B

What Rights Are Granted to Consumers?

The VCDPA requires a controller to comply with authenticated requests to exercise the following rights:

Right to Access: To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data. § 59.1-573.A.1
Right to Portability: To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. § 59.1-573.A.4
Right to Correction: To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. § 59.1-573.A.2
Right to Opt Out: To opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 59.1-573.A.5
Right to Deletion: To delete personal data provided by or obtained about the consumer. § 59.1‑573.A.3

The VCDPA is unique in that it provides a statutory right to appeal the denial of a consumer rights request. If such an appeal is denied, the controller must ensure the consumer is provided with “an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.” § 59.1-573.C

How Is the Law Enforced?

The Virginia Attorney General will have exclusive authority to enforce the VCDPA through civil investigative demands and civil actions for injunctive relief and civil penalties of not more than $7,500 per violation. The Act provides a 30-day right to cure provision and does not contain a private right of action. §§ 59.1-579; 59.1-580

Conclusion

In summary, the Commonwealth of Virginia has become the second U.S. state to enact comprehensive consumer data protection legislation, following in the footsteps of the CCPA. The VCDPA will become effective on January 1, 2023, and will (i) impose new obligations on both controllers and processors who process personal data of Virginia residents and (ii) grant new rights to Virginia residents with respect to their personal data. Stay tuned for further updates on preparing for the VCDPA and how this new law compares to other comprehensive data protection legislation.

Authors

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Nicholas Farnsworth Senior Associate, Cyber, Privacy & Data Innovation, Artificial Intelligence (AI)

Boston

See my bio

M:+1 978 430 8003
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Artificial Intelligence (AI)
Technology Transactions
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Nicholas Farnsworth Senior Associate

Boston

Nick provides compliance guidance on both proposed and effective laws on a federal and state level in the United States, including:

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Children’s Online Privacy Protection Act (COPPA)
Illinois Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Section 5 of the Federal Trade Commission Act (FTC) Act
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws
U.S. artificial intelligence laws

He also counsels clients on the impact of international laws from a U.S. perspective, including the General Data Protection Regulation (GDPR), the ePrivacy Directive (ePD), and the EU Artificial Intelligence Act.

Nick helps clients develop flexible governance frameworks for the development and use of artificial intelligence in the face of ever evolving AI legislation. He also advises clients on strategies, policies and procedures for the sourcing of AI training data, the responsible use of AI by employees, the assessment of risks presented by AI tools, the design of consumer-facing AI, the negotiation of AI-related contracts and the handling of AI-related regulatory inquiries and investigations.

Nick also devotes a portion of his practice to innovative client solutions and community engagement. He was part of the Orrick team that developed Orrick’s AI Resource Center, EU AI Act reference guide, U.S. AI Law Tracker and Gen AI Policy Builder. His pro bono practice has included representing clients in immigration and innocence matters and assisting small businesses with their legal needs.

Nick has obtained the Certified Information Privacy Professional -/ United States (CIPP/US), Certified Information Privacy Technologist (CIPT) and Privacy Law Specialist (PLS) designations from the International Association of Privacy Professionals (IAPP).