Main Menu
PDF

Getting Ready For Virginia’s Consumer Data Protection Act (VCDPA)

MSK Client Alert
November 22, 2022

On November 21, 2022 we reported about the changes taking place to California’s Consumer Privacy Act (here) which are effective January 1, 2023. In this Alert, we turn to the Virginia Consumer Data Protection Act (VCDPA) which takes effect on January 1, 2023. Inspired by the European GDPR, Virginia’s state privacy law aligns with its European counterpart and in some ways parallels California data privacy legislation.

We trust our “to do” list will help you get ready.

  1. Evaluate whether your business is subject to VCDPA.

VCDPA applies to all entities who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the commonwealth and, during a calendar year, either: (1) control or process personal data of at least 100,000 Virginia residents, or (2) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents.

VCDPA does not apply to:

It is also important to note, unlike the CPRA,the VCDPA, does not provide a private right of action, and does not cover a natural person acting in a commercial or employment context.

There are privacy laws taking effect in Colorado and Connecticut on July 1, 2023 and in Utah on December 31, 2023. We will address those changes after the first of the year.


[1] “Nonprofit organization” means any corporation organized under the Virginia Nonstock Corporation Act (§ 13.1-801 et seq.) or any organization exempt from taxation under § 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code, any political organization, any organization exempt from taxation under § 501(c)(4) of the Internal Revenue Code that is identified in § 52-41, and any subsidiary or affiliate of entities organized pursuant to Chapter 9.1 (§ 56-231.15 et seq.) of Title 56.

[2] Much like the CCPA/CPRA Virginia law lists what your Privacy Policy should contain. (Va. Code Ann. § 59.1-578(C),(D), (E).)

[3] Sensitive information is defined as Personal Information that if lost, compromised, accessed, or improperly disclosed could result in harm, embarrassment, inconvenience, or unfairness to an individual and that therefore is subject to heightened protections. Examples of Sensitive Personal Information include, but are not limited to: (a) an individual’s government-issued identification number, including a social security number, driver’s license number, or state-issued identification number; (b) a financial account number, credit card number, or debit card number with or without any required security code, access code, personal identification number, or password, that would permit access to an individual’s financial account; (c) biometric, medical, health, or health insurance information; (d) precise geolocation data; (e) racial or ethnic origin and citizenship or immigration status; (f) religious or philosophical beliefs or political opinions; (g) Trade union membership; (h) sexual orientation: and (i) criminal records.

Back to Page