What You Need to Know About the New Virginia Consumer Data Protection Act
Get ready for yet another data-related regulation -- this time from the state of Virginia. Here's what you need to know to be prepared for its implementation in 2023 and how the lessons learned from GDPR and CCPA can help.
- By Stephenie G. Anderson Scialabba, Esq., Sandy Garfinkel
- May 7, 2021
The Virginia Consumer Data Protection Act (VCDPA) made history on March 2, 2021 when it became the nation's second comprehensive consumer privacy act. With an effective date of January 1, 2023 and the benefit of hindsight, the VCDPA contains a number of features found in the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), along with several significant differences (see Note 1).
Like CCPA, VCDPA applies to companies or persons that "do business" in, or target citizens of, the state and utilizes certain quantitative thresholds to identify which entities may be subject to the law, such as collecting or processing a requisite amount of Virginia residents' personal information. However, when comparing VCDPA's jurisdictional analysis to that of CCPA, a standalone revenue threshold (see Note 2) is notably absent; simultaneously bringing "smaller" companies with large amounts of data under the statute while potentially allowing "larger" companies to escape its reach.
Although the "Big Three" (GDPR, CCPA, and VCDPA) share in a broad definition of personal data, VCDPA diverges from its cousins in the treatment of employees and individuals acting in a business capacity. Unlike CCPA, which has a temporary partial carve-out for employees and B2B information, the VCDPA expressly excludes persons acting in a commercial or employment context from the definition of "consumers."
Consumer Rights and Business Obligations
VCDPA builds upon the consumer rights found in CCPA, such as access and portability, by adding a GDPR-style right to correct data, expanding the right to delete it, and creating a right for consumers to appeal decisions on consumer rights requests (which must include a direct pathway to contact the Commonwealth's Attorney General).
VCDPA also partially incorporates the CCPA's right to opt-out of the sale of information. Although VCDPA limits the definition of "sale" to transactions that involve monetary consideration, it allows consumers to opt-out of targeted advertising and certain profiling. VCDPA also requires consent before processing "sensitive data." (see Note 3). This feature more closely resembles GDPR -- CCPA does not include a special category or obligations for data regarded as "sensitive."
Like CCPA, VCDPA requires that consumers have access to a Privacy Notice/Policy that provides key information about the categories of data processed and the purposes of the processing, among other things. Like GDPR, businesses must conduct and document data protection (impact) assessments when performing certain types of processing and must enter into data processing agreements that satisfy the statute's mandates.
Thanks to VCDPA's predecessor laws, companies have the benefit of several lessons learned from a compliance perspective:
- Be aware that VCDPA, GDPR, or CCPA/CPRA compliance are not equal substitutes. Certain obligations and concepts may overlap, but there are some key areas of distinction (as mentioned above).
- Be conscious of jurisdictional reach. Many companies elected to voluntarily comply with CCPA out of fear of consequences rather than a confident legal conclusion that compliance was required. Although a calculated risk analysis may lead to a conclusion that compliance is required, it may also plausibly produce a conclusion that compliance is not required.
- Be flexible and anticipate potential changes. CCPA regulations were revised several times before they were finalized, and many of the changes were significant. The VCDPA does not expressly call for the development of regulations by the Virginia Attorney General, but does establish a "work group" of state officials, business representatives, and consumer rights advocates to review the law and submit recommendations by November 1, 2021. This group may ultimately drive the creation of regulations or amendments to the law.
- Be proactive but don't panic. New, comprehensive privacy laws generally give some lead time before becoming effective to allow entities to implement compliance programs. That said, a last-minute rush to achieve compliance could lead to difficulties, especially where vendors are involved. Start early by evaluating what data your company collects and maintains (including whether it falls into a sensitive category), map the sources of data and how you use or disclose it, and decide whether you really need or want it in light of the accompanying obligations. It is also prudent to begin gathering vendor contracts that may need to be amended.
- Be mindful of "sensitive" data. Sensitive personal data is generally treated differently than other data, with more scrutiny concerning its collection and use and greater consumer protections than other forms of personal information.
What to Do Now
It makes sense to start examining whether your organization satisfies the jurisdictional threshold(s) such that you must comply with VCDPA. If your company will be contending with multiple consumer privacy laws, make a game plan for compliance and evaluate whether a hybrid approach -- comprised of the most rigorous aspects of each law -- will be the most effective and efficient overall approach. Your plan should be inter-departmental and include analysis of the practical impact on operations, amendment of vendor contracts, updates to existing privacy policies, data mapping/data inventories, and personnel training.
Finally, in preparing for VCDPA, assess whether your enterprise will be affected by the new California privacy law, CPRA, and be on the lookout for other states that are considering privacy reforms in the nature of CCPA and VCDPA.
1. The CCPA was significantly augmented by the California Privacy Rights Act (CPRA), which was passed by referendum vote in November 2020. The CPRA goes into effect the same day as the VCDPA – January 1, 2023, but has a lookback period to 2022 for certain activities and obligations. VCDPA is a hybrid of CCPA, CPRA, and GDPR.
2. In general, if a company "does business" in California and has annual gross revenues of at least $25 million, it will be subject to CCPA, regardless of the amount of data it handles about California residents.
3. Similar to GDPR and CPRA, VCDPA includes the following as "sensitive information":
- (i) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- (ii) Genetic or biometric data processed for the purpose of uniquely identifying a natural person
- (iii) Personal data collected from a "known child" (undefined)
- (iv) Precise geolocation data
Stephenie G. Anderson Scialabba is a lawyer in the data security and privacy group at Eckert Seamans Cherin & Mellott, LLC where she focuses her practice on global and domestic cybersecurity and data privacy matters. She regularly advises clients in the health, hospitality, gaming, and tech industries as to their legal obligations -- proactive and reactive -- in the evolving compliance landscape. Ms. Scialabba has represented clients in numerous facets of domestic and multinational data breach response. Her practice also consists of working with clients to develop privacy practices and policies that are appropriate for their business models.
Sandy Garfinkel is a business litigator and serves as the chair of the data security and privacy group of Eckert Seamans Cherin & Mellott, LLC. He is a nationally regarded authority on data security and privacy matters and is regularly published and speaks at numerous industry conferences on preparing for and responding to data breaches. In addition to his data breach response practice, Mr. Garfinkel works closely with the firm’s business clients concerning all aspects of the General Data Protection Regulation (the GDPR) and California Consumer Privacy Act (CCPA) compliance and enforcement.