Getting Ready For Virginia’s Consumer Data Protection Act (VCDPA)
On November 21, 2022 we reported about the changes taking place to California’s Consumer Privacy Act (here) which are effective January 1, 2023. In this Alert, we turn to the Virginia Consumer Data Protection Act (VCDPA) which takes effect on January 1, 2023. Inspired by the European GDPR, Virginia’s state privacy law aligns with its European counterpart and in some ways parallels California data privacy legislation.
We trust our “to do” list will help you get ready.
- Evaluate whether your business is subject to VCDPA.
VCDPA applies to all entities who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the commonwealth and, during a calendar year, either: (1) control or process personal data of at least 100,000 Virginia residents, or (2) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents.
VCDPA does not apply to:
- Non-profits[1]. The expanded definition (see footnote below) also covers political organizations; and insurers exempt from taxation under Internal Revenue Code.
- State or local governmental entities.
- Financial institutions.
- Covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
- Higher education institutions.
2. Check your Privacy Policy. Check whether your privacy policy is in line with CPRA. If the answer is “yes,” you are well on your way to meeting the requirements of VCDPA[2]. Nonetheless, make sure that your privacy policy includes: - The personal data categories collected and processed.
- The processing purpose.
- Information on how consumers may exercise their consumer rights, including how to submit consumer requests
- The categories of personal data shared with third parties, if any.
- The categories of third parties with whom the controller shares personal data, if any.
- Whether the controller sells personal data or processes personal data for targeted advertising and how a consumer may opt out.
3. Make sure your business is ready to: - Enable data portability, so that if requested you can provide users with a copy of their personal data in a readily usable format which is easy to transfer.
- Provide consumers with information whether a controller is processing their personal data, give consumers access to their personal data, and enable correction and/or deletion of data, which is expanded to include any data received about the consumer, not just that provided by the consumer.
- Allow consumers to opt-out of targeted advertising, personal data sales, and automated decision-making.
- Obtain parental consent to process data of a child under 13 years of age in compliance with the Children’s Online Privacy Protection Act (COPPA).
- Perform data protection assessments when required. Unlike the CPRA where this requirement still depends on final implementing regulations, the Virginia law requires consideration of processing that may pose a greater risk for consumer harm.
- Limit personal data collection to what is adequate, relevant, and reasonably necessary for the designated purpose, and process personal data for purposes that are reasonably necessary or compatible with the purposes disclosed to the consumer in your privacy policy.
- Make sure you do not discriminate against consumers exercising their data protection rights.
- Process consumers’ sensitive[3] personal data only with their consent. Unlike the CPRA, the VCDPA requires affirmative opt-in before processing sensitive personal data.
It is also important to note, unlike the CPRA,the VCDPA, does not provide a private right of action, and does not cover a natural person acting in a commercial or employment context.
There are privacy laws taking effect in Colorado and Connecticut on July 1, 2023 and in Utah on December 31, 2023. We will address those changes after the first of the year.
[1] “Nonprofit organization” means any corporation organized under the Virginia Nonstock Corporation Act (§ 13.1-801 et seq.) or any organization exempt from taxation under § 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code, any political organization, any organization exempt from taxation under § 501(c)(4) of the Internal Revenue Code that is identified in § 52-41, and any subsidiary or affiliate of entities organized pursuant to Chapter 9.1 (§ 56-231.15 et seq.) of Title 56.
[2] Much like the CCPA/CPRA Virginia law lists what your Privacy Policy should contain. (Va. Code Ann. § 59.1-578(C),(D), (E).)
[3] Sensitive information is defined as Personal Information that if lost, compromised, accessed, or improperly disclosed could result in harm, embarrassment, inconvenience, or unfairness to an individual and that therefore is subject to heightened protections. Examples of Sensitive Personal Information include, but are not limited to: (a) an individual’s government-issued identification number, including a social security number, driver’s license number, or state-issued identification number; (b) a financial account number, credit card number, or debit card number with or without any required security code, access code, personal identification number, or password, that would permit access to an individual’s financial account; (c) biometric, medical, health, or health insurance information; (d) precise geolocation data; (e) racial or ethnic origin and citizenship or immigration status; (f) religious or philosophical beliefs or political opinions; (g) Trade union membership; (h) sexual orientation: and (i) criminal records.