TDWI | Training & Research | Business Intelligence, Analytics, Big Data, Data Warehousing

What You Need to Know About the New Virginia Consumer Data Protection Act

Get ready for yet another data-related regulation -- this time from the state of Virginia. Here's what you need to know to be prepared for its implementation in 2023 and how the lessons learned from GDPR and CCPA can help.

• By Stephenie G. Anderson Scialabba, Esq., Sandy Garfinkel
• May 7, 2021

The Virginia Consumer Data Protection Act (VCDPA) made history on March 2, 2021 when it became the nation's second comprehensive consumer privacy act. With an effective date of January 1, 2023 and the benefit of hindsight, the VCDPA contains a number of features found in the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), along with several significant differences (see Note 1).

Scope

Like CCPA, VCDPA applies to companies or persons that "do business" in, or target citizens of, the state and utilizes certain quantitative thresholds to identify which entities may be subject to the law, such as collecting or processing a requisite amount of Virginia residents' personal information. However, when comparing VCDPA's jurisdictional analysis to that of CCPA, a standalone revenue threshold (see Note 2) is notably absent; simultaneously bringing "smaller" companies with large amounts of data under the statute while potentially allowing "larger" companies to escape its reach.

Although the "Big Three" (GDPR, CCPA, and VCDPA) share in a broad definition of personal data, VCDPA diverges from its cousins in the treatment of employees and individuals acting in a business capacity. Unlike CCPA, which has a temporary partial carve-out for employees and B2B information, the VCDPA expressly excludes persons acting in a commercial or employment context from the definition of "consumers."

Consumer Rights and Business Obligations

VCDPA builds upon the consumer rights found in CCPA, such as access and portability, by adding a GDPR-style right to correct data, expanding the right to delete it, and creating a right for consumers to appeal decisions on consumer rights requests (which must include a direct pathway to contact the Commonwealth's Attorney General).

VCDPA also partially incorporates the CCPA's right to opt-out of the sale of information. Although VCDPA limits the definition of "sale" to transactions that involve monetary consideration, it allows consumers to opt-out of targeted advertising and certain profiling. VCDPA also requires consent before processing "sensitive data." (see Note 3). This feature more closely resembles GDPR -- CCPA does not include a special category or obligations for data regarded as "sensitive."

Like CCPA, VCDPA requires that consumers have access to a Privacy Notice/Policy that provides key information about the categories of data processed and the purposes of the processing, among other things. Like GDPR, businesses must conduct and document data protection (impact) assessments when performing certain types of processing and must enter into data processing agreements that satisfy the statute's mandates.

Lessons Learned

Thanks to VCDPA's predecessor laws, companies have the benefit of several lessons learned from a compliance perspective:

• Be aware that VCDPA, GDPR, or CCPA/CPRA compliance are not equal substitutes. Certain obligations and concepts may overlap, but there are some key areas of distinction (as mentioned above).


• Be conscious of jurisdictional reach. Many companies elected to voluntarily comply with CCPA out of fear of consequences rather than a confident legal conclusion that compliance was required. Although a calculated risk analysis may lead to a conclusion that compliance is required, it may also plausibly produce a conclusion that compliance is not required.


• Be flexible and anticipate potential changes. CCPA regulations were revised several times before they were finalized, and many of the changes were significant. The VCDPA does not expressly call for the development of regulations by the Virginia Attorney General, but does establish a "work group" of state officials, business representatives, and consumer rights advocates to review the law and submit recommendations by November 1, 2021. This group may ultimately drive the creation of regulations or amendments to the law.


• Be proactive but don't panic. New, comprehensive privacy laws generally give some lead time before becoming effective to allow entities to implement compliance programs. That said, a last-minute rush to achieve compliance could lead to difficulties, especially where vendors are involved. Start early by evaluating what data your company collects and maintains (including whether it falls into a sensitive category), map the sources of data and how you use or disclose it, and decide whether you really need or want it in light of the accompanying obligations. It is also prudent to begin gathering vendor contracts that may need to be amended.


• Be mindful of "sensitive" data. Sensitive personal data is generally treated differently than other data, with more scrutiny concerning its collection and use and greater consumer protections than other forms of personal information.

What to Do Now

It makes sense to start examining whether your organization satisfies the jurisdictional threshold(s) such that you must comply with VCDPA. If your company will be contending with multiple consumer privacy laws, make a game plan for compliance and evaluate whether a hybrid approach -- comprised of the most rigorous aspects of each law -- will be the most effective and efficient overall approach. Your plan should be inter-departmental and include analysis of the practical impact on operations, amendment of vendor contracts, updates to existing privacy policies, data mapping/data inventories, and personnel training.

Finally, in preparing for VCDPA, assess whether your enterprise will be affected by the new California privacy law, CPRA, and be on the lookout for other states that are considering privacy reforms in the nature of CCPA and VCDPA.

Notes:

1. The CCPA was significantly augmented by the California Privacy Rights Act (CPRA), which was passed by referendum vote in November 2020. The CPRA goes into effect the same day as the VCDPA – January 1, 2023, but has a lookback period to 2022 for certain activities and obligations. VCDPA is a hybrid of CCPA, CPRA, and GDPR.

2. In general, if a company "does business" in California and has annual gross revenues of at least $25 million, it will be subject to CCPA, regardless of the amount of data it handles about California residents.

3. Similar to GDPR and CPRA, VCDPA includes the following as "sensitive information":

• (i) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
• (ii) Genetic or biometric data processed for the purpose of uniquely identifying a natural person
• (iii) Personal data collected from a "known child" (undefined)
• (iv) Precise geolocation data