Privacy Law Update: Virginia’s Consumer Data Protection Act – Final
From a privacy perspective, 2021 is getting off to a quick start in the United States. Baseline privacy bills are currently pending in at least 13 state legislatures. On March 2, 2021, Virginia Governor Northam signed into law H.B. 2307, the Virginia Consumer Data Protection Act (VCDPA) making them the first state to pass a comprehensive privacy law in 2021.
The VCDPA resembles GDPR, CCPA and is nearly identical to the Washington Privacy Act. It requires opt-in consent for the processing of sensitive data and incompatible secondary uses, Data Protection Assessments, and compliance with consumer rights – access, deletion, correction, portability, and opt-outs of sale, targeted ads, and profiling
Effective January 1, 2023, the VCDPA will apply to:
- Companies that do business in Virginia or that target their products or services to Virginia residents and that
- Control or process “personal data” relating to at least 100,000 Virginia residents during a calendar year
- Personal data that relates to individuals who are residents of Virginia to the extent that those individuals are acting in “an individual or household context,” but not to the extent that the individuals are acting in “a commercial or employment context.”
VCDPA provides rights to Virginia residents (consumers) to:
- Confirm whether if a controller is processing their personal data and access to that data
- Correct inaccuracies in their personal data
- Delete their personal data provided by or obtained about the consumer
- Obtain a copy of their personal data in a portable, readily usable format
- Opt-out of the processing of their personal data for purposes of sale, targeted advertising, or profiling decisions
Unlike the CCPA, the VCDPA
- Has a 30-day cure period
- Requires that a controller create a process for a Virginia resident to appeal the controller’s refusal to take action on such a request
- More clearly articulates the distinction between a “controller” and a “processor”
- Requires that controllers conduct and document “data protection assessments” regarding certain activities (e.g., the processing of sensitive data).
- Has exemptions for:
- Financial institutions
- HIPAA covered entities and business associates Nonprofits
- Higher education institutions
VCDPA will be enforced by The Virginia Attorney General’s office.
- Violations have a 30-day notification period to allow the controller or processor the opportunity to cure the violation
- Uncured violations are subject to action seeking $7,500 per violation
- Does not include a private right action
While Virginia is the first state to enact a data privacy law in 2021, it won’t be the last. Complying with this law (as currently written) will in many ways be consistent with what you are doing in California and the European Union. If you’ve mapped to those requirements, you are pointed in the right direction to comply with VCDPA. There is however still work to be done including: updating your policies, vendor agreements, subject request mechanisms, and re-assessing your products, systems, and services. The WireWheel platform is built with the flexibility to accommodate these changes with ease and efficiency.