On March 2, 2020, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“VCDPA”) into law, making Virginia only the second state to enact such comprehensive data protection legislation (after California). The law itself becomes effective on January 1, 2023 and will be codified at Virginia Code §59.1-571.
The VCDPA applies to all businesses that either 1) control or process the personal data of at least 100,000 consumers during the calendar year, or 2) derive more than 50% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
In most times, Virginia is not known to be on the forefront of consumer protection legislation, but this perfect storm permitted its passage. The legislation was made possible by the confluence of a Democratic governor, Democratic state senate, Democratic House of Delegates, and Democratic attorney general – who all wanted this legislation enacted.
Types of Information Covered by VCDPA
The VCDPA protects certain “Sensitive data” including data regarding an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, genetic data, citizenship, or immigration status, “personal data from a known child [younger than 13],” or a person’s precise geolocation.
Substantial exemptions of data contained in § 59.1-572(C) including HIPAA health information, health information covered by other federal statutes, consumer credit information protected by the FCRA, educational information protected by FERPA, and other information protected by other federal acts.
What companies are subject to the VCDPA?
“Data brokers” which are high-profile Big Tech companies (i.e., Google, Amazon, etc.) or the lesser-known companies that gather, analyze, package, and sell consumers’ personal information. According to the VCDPA, data brokers must hit specific thresholds for the law to apply to them. These requirements include:
- “Persons” (including corporations) must do business in Virginia or sell products and services that target Virginia residents.
- The organizations have to control the data of at least 100,000 Virginia residents. (This number is decreased to 25,000 residents if the company receives half or more of its revenue from selling personal information)
There are several exemptions for certain entities. These include:
- Entities that collect data pertaining to employment or other commercial information.
- Entities in the financial services, research, credit reporting, healthcare, or educational industries.
- Non-profit entities.
Rights under the VCDPA
The VCDPA grants Consumers (that is, natural persons who are residents of Virginia acting only in an individual or household capacity) a variety of new data “rights.” These include
- The right of access. Virginians can request to know all the information a
company collects on them.
- The right of correction. Consumers can request a company correct wrong
information, and they may have to comply.
- The right of deletion. Individuals can request the deletion of their data.
- The right to opt-out of targeted advertising, data selling, and profiling.
The VCDPA includes several exemptions for these “rights.”
Exercising Virginia Citizens’ Rights
Virginia citizens can request that a “Controller” (that is, person(s) within an entity that determine the purpose and means of processing personal data) identify whether it is using that person’s data and, if so, may request access to that data. The Controller has 45 days to respond (this may be extended for a second 45 days).
Controllers may refuse the above-described requests within 45 days but have to offer an appeals process that includes a mechanism for the Virginia citizen to submit a complaint to the Virginia Attorney General, who has sole enforcement authority under the VCDPA.
If a Virginia citizen finds the information to be inaccurate, they can request correction of the inaccuracies. They may also seek that the data be deleted and request a portable copy of the data. The Controller must provide the responsive information free of charge, provided that a request is made no more than twice per year and the request is not manifestly unfounded or excessive.
Organizations can get out of many of these information requests if they feel it causes an “unreasonable burden.” They also do not need to comply if the data collected is pseudonymized (meaning they replaced identifying info with pseudonyms.)
Enforcement/Penalties/Potential Uses of the Act
The VCDPA does not allow Virginia citizens a private right of action to sue companies for violating the law by selling or using their data.
Starting in 2023, any company found in non-compliance with the terms of the VCDPA based upon an action by the Virginia Attorney General will have 30 days to correct their course or be subject to a $7,500 fine for each violation.
One potential use of the VCDPA may be as a standard of care in negligence actions brought by individual citizens due to harm caused by Controllers and “Processors” (a person(s) who processes data for a Controller) in the use of that person’s data. Therefore, even though the VCDPA does not create a private right of action for Virginia citizens, it is possible that the statute may provide the standard of care for a negligence claim by such citizens.
Other Aspects of the Law
The intent of the VCDPA is for Controllers to have obligations beyond just meeting consumer requests for information and corrections.
Controllers are also supposed to minimize data collection, limit data processing to “purposes that are compatible with the disclosed purposes,” implement reasonable security practices, not discriminate based on the exercise of rights in the law (there may be exceptions for “loyalty” clubs), and obtain opt-in consent for processing sensitive data.
Controllers are supposed to provide accessible, clear, and meaningful privacy notices that include information on the types of information processed, the purpose for processing, how consumers may exercise their rights, categories of data shared with third parties, and the categories of third parties with whom the controller shares data. The privacy notice must also include one or more secure means for consumers to submit the requests allowed by the VCDPA.
Processors have their own set of obligations, although the statute makes clear that Controllers should include appropriate clauses in their contracts with Processors to ensure compliance with the law. However, the law will compel performance regardless of the contract language. Finally, Controllers must conduct and document data protection assessments for certain activities. The Attorney General may request data protection assessments relevant to an investigation.
Attorney General Implementation
The road remains murky as to how the law will be applied by the new Attorney General who entered office on January 15, 2022. As a Delegate, the new Attorney General voted against the Act initially, but voted for the Act upon final passage. According to the Washington Post, the Attorney General announced that he may create the office’s first chief privacy counsel to investigate and prosecute cases involving breaches or misuse of personal data as an outgrowth of the VCDPA.
The Path Forward – Advising Clients Subject to the Law
Another twenty-eight states have or are considering their own similar comprehensive privacy laws. As a result, companies may be subject to several privacy regimes, as other states pass their own privacy laws. For many companies, it may be best to build a compliance program that addresses the common denominator for all the privacy laws. Compliance programs for these laws require both process changes and technical solutions. Organizations subject to the processing thresholds, or ones that expect to grow to the thresholds in the next couple of years, should begin developing the processes now to ensure compliance.
Some companies will wait to see if a federal law pre-empts the state laws, but this is a risky strategy. Much of the work done to comply with Virginia’s law will likely be applicable to any federal law.
Fletcher, Heald & Hildreth, PC is monitoring the VCDPA and has the expertise to assist companies who may be subject to the law, whether they are seeking to avoid liability or to protect their privacy under the new legislation. Please contact Fletcher, Heald & Hildreth if you have any questions about the VCDPA.