Virginia made a splash by becoming the second U.S. state to pass comprehensive consumer privacy legislation. But how exactly does Virginia’s CCPA law impact businesses and differ from California’s original? This guide explains the VCDPA’s critical protections and obligations.
An Introduction to Virginia’s CCPA Law
Virginia made headlines in 2021 when it became the second U.S. state to enact a comprehensive consumer privacy law, the Virginia Consumer Data Protection Act (VCDPA). This groundbreaking legislation has imparted new data rights and obligations impacting both consumers and businesses in the state.
What is the Virginia Consumer Data Protection Act (VCDPA)?
The VCDPA establishes standards for how businesses can collect, use, and share the personal information of Virginia residents. It grants new rights to consumers over their data, while requiring companies to be more transparent about data practices.
Key components of Virginia’s CCPA law include:
- Consumer Rights: Gives Virginians rights to access, delete, and obtain copies of their personal data, plus opt-out of data sales and targeted advertising.
- Business Duties: Requires data protection assessments, privacy policies, limits on data collection/use, and establishing technical safeguards.
- Enforcement: Empowers the State Attorney General to investigate violations and levy fines up to $7,500 per violation.
- Private Action: Notably does not create a private right of action for consumers to sue. Enforcement is public only.
While similar in approach to the landmark California Consumer Privacy Act (CCPA), Virginia’s law has some important distinctions when it comes to scope, definitions, exemptions, and details of rights/obligations.
Why Did Virginia Pass its Own Consumer Privacy Law?
With consumers more aware of data privacy risks, Virginia joins a growing list of states exerting greater control over information rights and practices. Reasons the commonwealth acted include:
- Increasing Public Concern: Surveys show a strong majority of consumers worry about how companies use their data. New laws address these worries.
- California’s CCPA Catalytic Effect: The CCPA opened the floodgates and drew attention to the policy issue nationwide.
- Desire for Consistency: Individual state laws risk creating a compliance patchwork for businesses. A uniform federal law is unlikely, so states are taking the initiative.
- Business Community Input: Unlike the CCPA, Virginia’s law was enacted through the regular legislative process enabling business interests significant input.
- Flexibility for State: Preemptively acting gives Virginia more control in crafting privacy safeguards tailored to regional needs and concerns.
While state consumer privacy laws are a relatively new development in the U.S., they follow in the footsteps of more established laws like the E.U.’s General Data Protection Regulation (GDPR). The trend looks likely to continue with more states proposing legislation.
How Does the VCDPA Compare to Other State Privacy Laws Like the CCPA?
Though clearly modeled after the CCPA, Virginia’s privacy law has several notable differences:
- Narrower Scope: Higher thresholds for the number of consumers whose data a business must control/process before the VCDPA applies.
- Fewer Entity Exemptions: The CCPA has a revenue-based applicability threshold, but the VCDPA does not exempt small businesses.
- Employee Data: Work-related information exempt under CCPA but covered under VCDPA in many cases.
- Sale Definition: Stricter standard for what qualifies as a “sale” compared to CCPA.
- No “Do Not Sell” Opt-Out: Does not require clear links/buttons for opting out of data sales like the CCPA.
- Data Protection Assessments: VCDPA uniquely mandates privacy impact assessments for high-risk data activities.
- Enforcement: No private right of action and fines capped at $7,500 per violation under VCDPA vs. CCPA.
- Unclear Areas: Provisions lacking clarity based on legislative compromises and speedy drafting process.
So in summary, while the VCDPA covers similar ground to the CCPA, there are nuanced differences in multiple areas that businesses must closely analyze to ensure full compliance. The VCDPA charted its own course rather than copying California’s approach wholesale.
Who and What Does Virginia’s CCPA Law Apply To?
Virginia’s consumer privacy law does not impact all businesses across the board. Its applicability depends on definitions, thresholds, and exemptions that determine which entities and data fall under the scope of the VCDPA.
Which Businesses are Covered Under the VCDPA?
The VCDPA only applies to companies that:
- Conduct business in Virginia OR produce products/services targeting residents
- AND either:
- Control or process personal data of 100,000+ consumers in a calendar year
- Control or process personal data of 25,000+ consumers AND earn 50%+ of gross revenue from selling personal data
So the law sets two main thresholds related to the number of consumers and sale of data.
Notably, there is NO revenue threshold like the CCPA – even small companies with minimal overall revenue are covered if they meet one of the above consumer data criteria.
Some examples of entities potentially covered:
- Online retailers selling to Virginians
- Apps with 100,000+ VA users
- Data brokers meeting the 25,000+ threshold
- Brick-and-mortar stores with customer loyalty programs
- VA healthcare providers with digital patient records
And entities likely NOT covered:
- Stores with limited VA customer data
- Small professional services firms
- Companies with no VA sales or operations
- Startups yet to scale consumer data
So in summary, medium to large companies controlling significant amounts of Virginian consumer data need to comply, regardless of overall revenue. Smaller entities are not necessarily exempt like in some other states’ privacy laws.
Key Definitions Like “Consumer” and “Sale of Personal Data”
Several key definitions further shape the law’s applicability:
- Consumer: A VA resident acting in a personal/household context, NOT commercial or employment. So B2B data is exempt.
- Personal Data: Information linked to an identified consumer, excluding de-identified data. Public info is exempt.
- Sale of Personal Data: Monetary exchange of data to a 3rd party. But doesn’t include transfers to service providers.
- Targeted Advertising: Serving ads based on a consumer’s personal data and activities over time.
These definitions create some compliance gray areas companies will need to navigate carefully, particularly newer terms like “targeted advertising” that aren’t found in every state privacy law.
Notable Exemptions for Certain Entities and Data Types
Some organizations and data categories are completely exempt from the VCDPA:
Exempt Entities:
- Government Agencies
- HIPAA-Covered Entities
- Non-Profit Organizations
- Higher Education Institutions
Exempt Data:
- HIPAA Health Data
- GLBA Financial Data
- FCRA Credit Report Data
- Employee Information
- Publicly Available Data
So for example, a university in Virginia will not need to provide student data access or deletion rights under this law. However, the gift shop or other commercial arms of a non-profit may still need to comply.
In summary, businesses handling significant consumer data will need to closely analyze if they meet the covered entities and data definitions before writing the VCDPA off as not applicable. The nuances matter greatly in determining true compliance obligations.
Consumer Rights and Business Obligations Under the VCDPA
The VCDPA grants new privacy rights to Virginia residents regarding their personal data. It also imposes a range of compliance requirements on covered businesses to alter data practices.
Consumer Privacy Rights Provided by the VCDPA
Virginia consumers receive the following data rights under the VCDPA:
Access Right – Consumers can request details on what personal data a business collects, uses, and shares about them. This includes accessing copies of the actual data.
Deletion Right – Individuals can request deletion of their personal data, with some exceptions.
Correction Right – Consumers can request corrections to inaccurate personal data held by a business.
Data Portability Right – Where feasible, individuals can obtain copies of their data from a business in a readily usable format to transfer to another entity.
Opt-Out of Sale/Targeting – Virginians can opt-out of having their personal data sold or used for targeted advertising.
Appeal Denials – If a business refuses an individual’s privacy request, the consumer can appeal the decision within a reasonable timeframe.
Non-Discrimination – Exercising these new rights cannot result in unfair discrimination or denial of services.
Consumers submit requests directly to businesses, who must authenticate the individual and respond within 45 days. Requests can be made free of charge up to twice per year.
These rights align closely with those found in the CCPA and other privacy laws. However, notable omissions include a specific right to opt-out of “sharing” personal data with third parties, and a right to request minimized data collection.
Business Responsibilities and Compliance Requirements
To uphold consumer rights, the VCDPA imposes a range of compliance duties on covered businesses:
Limit Collection – Cannot collect more personal data than reasonably necessary for disclosed business purposes.
Limit Use – Can only use/process data for purposes compatible with what is disclosed to consumers at collection.
Establish Safeguards – Must implement reasonable data security safeguards appropriate to the data volume/sensitivity.
Conduct Assessments – Must perform and document data protection assessments evaluating risks for activities like profiling, targeted advertising, processing sensitive data, and high-risk processing that poses a threat of consumer injury.
Honor Opt-Outs – Must respect when consumers opt-out of targeted advertising, sales of personal data, and profiling that significantly impacts them.
Post Privacy Policy – Must have an online privacy policy detailing data practices, consumer rights, how to make requests, etc.
Maintain Data Processing Agreements – Any sharing of personal data with third-party processors like service providers or contractors must be governed by GDPR-like data processing agreement outlining access and use restrictions.
Follow CCPA When Applicable – Subject to compliance with certain parts of the California law for California residents’ data.
Provide Notice of Security Breaches – Must notify the Attorney General when breaches likely to cause identity theft or financial harm occur.
While the VCDPA may not be as prescriptive as laws like the CCPA and GDPR, it creates a baseline set of obligatory data privacy and security controls for Virginian consumers relative to the previous status quo.
Data Protection Assessments and Agreements Required
Among the more unique VCDPA compliance duties are mandates to perform assessments and execute agreements:
Data Protection Assessments
- Required for high-risk data activities like profiling, targeted advertising, processing sensitive data, and practices posing consumer injury risks.
- Must evaluate risks/benefits, mitigation measures, reasonable alternatives, and still utilize de-identified data where possible.
- Assessments are confidential documents only shared with the Attorney General if requested.
- Can address a “comparable set of processing operations” together.
- Must be ongoing for new activities, but not retroactive.
Data Processing Agreements
- Required whenever sharing personal data with a third-party processor like a service provider, contractor, or vendor.
- Must outline data access permissions, handling restrictions, processing purposes, confidentiality duties, and more based on GDPR standards.
- Agreements make processors legally liable for violations as well as controllers.
- Can rely on vendors’ existing DPA templates as long as they meet VCDPA criteria.
These assessment and agreement requirements operationalize privacy and security practices as regular business processes rather than just abstract legal principles. They also distribute accountability through the entire data ecosystem.
Transparency Through Privacy Notices/Policies
The VCDPA also advances consumer transparency:
- Privacy Policy Required – Must publish a privacy notice detailing data practices, consumer rights, how to make requests, data sales/targeting, and third-party sharing.
- Existing Policies Likely Insufficient – Most pre-VCDPA privacy policies will need updates to fully cover all required information.
- Notice at Collection – Best practice is providing the privacy policy when first gathering personal data from consumers.
- Conspicuous Notice of Sales & Targeting – If selling data or using it for targeted advertising, businesses must clearly inform consumers of this fact and how to opt-out.
- Direct Notice of Security Breaches – Must directly notify affected consumers, not just the Attorney General, when breaches occur.
- Respond to Access Requests – Must provide details to consumer inquiries about what personal data is held, shared, sold, or retained.
While the VCDPA does not mandate California-style “Do Not Sell My Info” links, robust privacy policies and consumer notices can help ensure businesses uphold transparency obligations under Virginia’s law.
Enforcement and Penalties for VCDPA Violations
The VCDPA empowers Virginia’s Attorney General to investigate violations and pursue enforcement actions against non-compliant businesses. However, consumers cannot directly file lawsuits for CCPA infringements.
Enforcement Authority and Power of the Attorney General
The Virginia Attorney General has exclusive authority to enforce the VCDPA. Key enforcement powers include:
- Issue Subpoenas – Can subpoena information and documents from businesses relating to potential VCDPA violations.
- Conduct Audits – Is authorized to audit businesses for compliance through methods like interviews, site visits, device inspection, and records review.
- File Lawsuits – May bring civil actions against violators and seek injunctions or penalties through the courts.
- Impose Fines – Can levy administrative fines of up to $7,500 per violation of the VCDPA.
- Issue Regulations – Has power to adopt regulations as needed to further implement and clarify the law.
- Consult with Businesses – Expected to consult with industry representatives before initiating enforcement actions.
- Sue federal Agencies – May file suits against federal agencies for VCDPA violations.
So in summary, the Attorney General has broad discretion to investigate complaints, pressure compliance via fines and lawsuits, and expand upon the VCDPA through regulatory actions.
Process for Investigations, Notices, and Fines
A multi-step process applies to VCDPA enforcement:
- Complaints Received – The OAG becomes aware of potential violations through consumer complaints, competitor tips, data breach notices, company filings, or proactive monitoring.
- Initial Notice Issued – Alleged violators get 30 days’ notice to cure problems identified by the OAG and attest in writing that violations have stopped.
- Continued Violations – If issues remain unresolved after the notice period, the OAG may impose fines up to $7,500 per violation.
- Failure to Cooperate – Businesses unwilling to comply with subpoenas or audits may face additional contempt of court sanctions.
- Court Injunctions – Civil lawsuits can seek court injunctions to force specific actions or halt illegal practices beyond just monetary penalties.
- Appeal Process – Businesses can administratively appeal OAG actions, but must pay fines into escrow during the appeal.
So notifications and an opportunity to voluntarily cure problems generally precede formal enforcement. But protracted violations can quickly escalate fines into the millions given the per-violation penalty structure.
No Private Right of Action Under VCDPA
A major contrast versus the CCPA is the VCDPA’s lack of a private right of action. This means:
- No Individual Lawsuits – Consumers cannot directly sue for VCDPA violations in court like they can under the CCPA. Enforcement is exclusively through the Attorney General.
- No Class Actions – Lawyers cannot initiate class action lawsuits for data breaches or illegal practices under this Virginia law.
- Slow Claims Process – Without litigation threat, businesses may be slower to respond to individual complaints and claims.
- Unclear If Violations Must Be Harmful – Unclear if the OAG can act on technical violations causing no consumer harm or if some injury is required.
- Fewer Resources – The OAG has limited bandwidth compared to supplementing public enforcement with the plaintiff’s bar.
So while businesses may welcome the reduction in direct legal risk, lack of private action could blunt the VCDPA’s impact without consumers’ threat of damages promoting responsiveness and accountability.
Looking Ahead: Implementation Deadlines and Future Changes
While the VCDPA is now enacted, critical deadlines and open questions remain about the new law’s trajectory. Both regulators and businesses have work ahead to provide clarification and ensure full compliance.
Upcoming Compliance Deadline of January 1, 2023
- VCDPA provisions take effect on January 1, 2023 – just over a year after the bill’s passage.
- This gives companies a transition period to update systems, processes, notices, agreements, assessments, and policies required under the Act.
- Many businesses will require at least 6 months for complex technical and organizational changes involved.
- Immediate focus should be on scoping data practices against VCDPA definitions and obligations to identify gaps.
- Crucial deadline for businesses – key rights, duties, and prohibitions will be enforceable starting 1/1/2023.
- No transition period for new data activities begun after the effective date.
So in summary, businesses have just over a year to fully implement the VCDPA’s requirements. The compliance transition clock is ticking.
Potential Areas of Clarification or Changes in Future
Some areas of the VCDPA remain unclear or underdeveloped, raising the prospect of future clarifications or amendments:
- Narrow Interpretation of “Sale” Definition – The strict limitation of sales to monetary transfers may require tweaks if it creates loopholes.
- “Non-Profit” Definition – The undefined use of the general tax term “non-profit organization” creates ambiguity around exemptions.
- Data Protection Assessments – Unclear how often assessments must be performed and how extensively they must be documented.
- Applicability to Non-Natural Persons – Unclear rights and obligations for data belonging to entities rather than individual consumers.
- Employee/HR Information Rights – Carve-outs for employee data narrower than other state laws and may require refinement.
- Data Broker Coverage – Data brokers may lobby for exemptions or different treatment given the law’s focus on consumer data volumes.
- Cybersecurity Standards – Additional rulemaking likely needed to outline what constitutes “reasonable” security under the VCDPA.
While major structural changes seem unlikely, the natural evolution of clarifications, feedback, and political pressures will shape the VCDPA’s long-term direction.
How Businesses Should Prepare for VCDPA Compliance
Key steps for businesses to take in gearing up for VCDPA compliance:
- Review data practices against the law’s definitions, rights, and obligations.
- Start planning upgrades to privacy policies, notices, data systems, agreements, and security controls.
- Designate an internal point person to coordinate efforts. Consider hiring outside expertise.
- Allocate sufficient budget and staffing. Compliance costs will be meaningful.
- Prepare processes for timely response to consumer rights requests.
- Develop protocols for required data protection assessments.
- Negotiate updated data processor contract terms with vendors and providers.
- Monitor for regulatory guidance over the coming year.
- Follow enforcement actions once the law takes effect.
- Consider joining an industry association to collectively work through issues.
- Document compliance efforts in case of future OAG audits.
With smart preparation starting immediately, businesses can position themselves to meet the VCDPA’s demands by the January 1, 2023 effective date.
Conclusion and Key Takeaways
Virginia’s enactment of the Consumer Data Protection Act ushers in a new era of expanded privacy rights and duties in the state. While modeled after trailblazing laws like the CCPA, the VCDPA has crafted its own standards and procedures.
Review of Main Components and Requirements of the VCDPA
Key facets of Virginia’s consumer privacy law include:
- Consumer Rights: Data access, deletion, correction, portability, and opt-out of sale/targeting. Appeal process for denials.
- Business Obligations: Limit data collection, provide transparency, implement security controls, conduct assessments, execute data processing agreements, honor opt-outs.
- Applicability: Thresholds based on controlling/processing over 25,000+ consumers’ data or 100,000+ if no data sales. Virginia-focused businesses covered regardless of revenue.
- Exemptions: Complete exemptions for sectors like government, healthcare, education and non-profits. Employee, public, and other data types also exempt.
- Enforcement: Exclusively through Attorney General investigations and actions. No individual private right of suit. Fines up to $7,500 per violation.
- Effective Date: January 1, 2023 implementation deadline. Transition period for businesses to achieve full compliance.
While not as far-reaching as laws like the GDPR, the VCDPA provides meaningful baseline privacy safeguards for Virginia consumers and obligations for businesses in the modern data economy.
Recommendations for Businesses Impacted by Virginia’s CCPA Law
To prepare for the VCDPA, Virginia businesses should:
- Review data practices against the law’s definitions and provisions.
- Classify data flows, vendors, contracts, and systems as in-scope or exempt.
- Update privacy policies, breach notifications, agreements, security controls, and consumer response processes.
- Plan and implement required data protection assessments.
- Train staff on new privacy practices and consumer request protocols.
- Budget for technical, legal, and organizational resources involved.
- Monitor for additional regulatory guidance and plan to iterate as needed.
- Document compliance efforts in the event of a future OAG audit.
Remaining Questions and Need for Further Guidance
Many details of the untested VCDPA will be clarified over time through real-world experience and regulator feedback. Open issues include:
- Frequency and documentation requirements for data protection assessments.
- Applicability for non-natural legal entities like corporations.
- Adequacy of security safeguards given lack of detailed standards.
- Handling of employee and HR information under the law.
- Expansion of narrow definitions like “sale” and “non-profit.”
- Whether harm is required for OAG enforcement against violations.
- Funding and resources for oversight and enforcement.
The VCDPA’s broad state-level framework will evolve with time as regulators, legislators, and businesses iteratively address applications and sector-specific concerns.
Key Takeaways
- Virginia’s Consumer Data Protection Act grants new privacy rights to state residents and imposes compliance obligations on many businesses.
- The VCDPA shares similarities with the California Consumer Privacy Act but has important differences in scope, definitions, exemptions, and details.
- Key consumer rights include data access, deletion, correction, portability, and opt-out of sale/targeting. Appeals process available for denials.
- Businesses must limit data collection, provide transparency through privacy policies, implement security controls, conduct assessments, execute data processing agreements, and more.
- Compliance required by January 1, 2023. Most companies will need 6+ months to upgrade practices, systems, and procedures to align with the VCDPA.
- Enforcement is exclusively through the Attorney General, not private consumer lawsuits. Fines up to $7,500 per violation.
- The law leaves many details to be clarified over time through regulators, legislators, and business feedback based on practical experience.
- Businesses should proactively review the VCDPA against their data practices and develop comprehensive compliance plans immediately.
Frequently Asked Questions
Q: When does the VCDPA take effect?
A: The VCDPA’s effective date is January 1, 2023. The law was enacted in 2021 but included a transition period for businesses to achieve compliance.
Q: What businesses does the VCDPA apply to?
A: Those controlling/processing data of 25,000+ VA consumers or 100,000+ nationally if they also earn 50%+ revenue from selling data. No revenue threshold, so small businesses can be covered.
Q: What rights do consumers have under the VCDPA?
A: Rights to access, delete, correct, and obtain copies of personal data. Opt-out of sales and targeted advertising. Appeal denials. Non-discrimination protections.
Q: What are the main business compliance obligations?
A: Limit collection, conduct assessments, implement security controls, enter data processing agreements, provide transparency through privacy policies, honor opt-outs.
Q: Does the VCDPA have a private right of action?
A: No, only the Virginia Attorney General can enforce the law against violators. No individual consumer lawsuits permitted.
Q: What are the penalties for violations?
A: Up to $7,500 per violation. Fines can quickly escalate into the millions given the per-violation civil penalty structure.
Q: What exemptions exist under the VCDPA?
A: Complete entity-level exemptions for government, non-profits, healthcare, education and some data-type carve outs like HIPAA and GLBA data.
Q: How should businesses prepare for the VCDPA?
A: Review practices against the law now, designate an internal point person, budget for changes required, update systems and policies, monitor for new regulatory guidance.
Q: What areas of the VCDPA are still unclear?
A: Details around assessments, non-natural entities, security standards, employee exemptions, non-profit definition, and enforcement thresholds.