On March 2, 2021, then Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (the “VCDPA” or “Act”). The effective date of January 1, 2023 is fast approaching. If your business has not yet started taking steps to understand and ensure compliance with this new law – the time is now!
This will be the first of a series of blog posts directed to answering your questions as to whether and how the new Act will affect you and your business.
What is the VCDPA?
The VCDPA establishes rights for Virginia consumers to control how companies use their personal data by dictating how companies must protect personal data in their possession and respond to consumers exercising their rights with respect to such personal data.
The Act outlines responsibilities and privacy protection standards for both controllers and processors of personal data in Virginia. The Act also expands consumer rights to access, correct, delete, and obtain personal data collected by companies and to opt out of personal data collection for targeting advertising, sales, and profiling purposes.
To fully understand the Act and how it may or may not apply to you, you must first understand a few key terms.
A “Controller” of personal data is any person or entity that alone or jointly determines the purpose and means of processing personal data.
A “Processor” of personal data is any person or entity that processes data on behalf of a controller. Processing data is generally any operation performed on personal data whether that operation is automated or not. Common types of personal data processing include collecting, organizing, structuring, modifying, using, combining, erasing, or destroying data.
A “Consumer” covered by the Act is a natural person who is a resident of Virginia acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.
“Personal data” is any information that is linked or reasonably linkable to an identified or identifiable natural person. Common personal data includes a person’s name, physical address, government ID number, license plate number, and biographical or biological information.
The following types of information are expressly excluded from the definition of personal data: (i) employment data, (ii) de-identified data, (iii) publicly available information, (iv) pseudonymous data, i.e., personal data that cannot be attributed to an individual without the use of additional information.
“Sensitive data” is a subset of personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status; genetic or biometric; precise geolocation data; and personal data collected from a known child (a person under the age of thirteen).
Who does the VCDPA Apply to?
The Act applies to all persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and, during a calendar year, either (1) control or process personal data of at least 100,000 Virginia residents, or (2) control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.
Are Any Businesses Exempted from the Act?
Yes. Certain entities are exempt from VCDPA compliance including:
- Virginia state bodies and agencies
- financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act (GLBA)
- entities or businesses governed by the privacy, security, and breach notification rules under Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITEACH)
- non-profit organizations
- higher education institutions
Certain types of data are also exempt including information governed by or subject to HIPAA, GLBA, the Family Education Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA).
Look out for our next blog as we explore the compliance obligations facing businesses subject to the Act.
This article is for informational purposes only and does not contain or convey legal advice. Consult a lawyer. Any views or opinions expressed herein are those of the authors and are not necessarily the views of any client.