Submit to Digest

Virginia’s New Consumer Data Protection Act: Will Others Follow?

Reports Privacy

Virginia Consumer Data Protection Act of 2021 (“VCDPA”) Va. Code Ann. § 52

The Virginia Consumer Data Protection Act (“VCDPA”) was signed into law on March 2, 2021 and will go into effect on January 1, 2023. With California passing the California Consumer Privacy Act (“CCPA”) in 2018, Virginia became the second state to enact comprehensive privacy legislation. State Senator David Marsden introduced the VCDPA in the Virginia Senate, emphasizing, “It is time that we find a meaningful way of protecting the citizens of the Commonwealth of Virginia’s data.” The VCDPA draws several aspects from other privacy laws, including the CCPA, the California Privacy Rights Act, the proposed Washington Privacy Act, and the EU General Data Protection Regulation.

The VCDPA imposes obligations on entities that conduct business in Virginia or produce products or services targeted to residents of Virginia, and control or process personal data of at least:

i. 100,000 consumers during the calendar year, or

ii. 25,000 consumers and derive over 50 percent of gross revenue from the sale

of personal data.

However, unlike the CCPA, the VCDPA does not include a revenue threshold, so these obligations may not apply to some large businesses that do not meet these requirements.

The VCDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” It also creates a second category of “sensitive data” that includes “1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person; 3. The personal data collected from a known child; or 4. Precise geolocation data.” The VCDPA prohibits processing of sensitive data without obtaining consumer consent. If the sensitive data concerns known children, processing must be in compliance with the Children's Online Privacy Protection Act.

Additionally, the VCDPA defines “consumer” as “a natural person who is a resident of the Commonwealth acting only in an individual or household context.” Unlike the CCPA, which includes employee data, the VCDPA excludes “a natural person acting in a commercial or employment context.” It also explicitly exempts “entities subject to HIPAA (both covered entities and business associates), nonprofits, higher education institutions, and financial institutions or data subject to Gramm-Leach-Bliley Act (GLBA)” in contrast with CCPA’s more limited exemptions, which refer only to data subject to HIPAA and GLBA.

The VCDPA differentiates between controllers and processors. Controllers determine “the purpose and means of processing personal data.” Processors “process[] personal data on behalf of a controller.” The VCDPA’s obligations on controllers include limits on collection, limits on use, technical safeguards to protect the confidentiality, integrity, and accessibility of personal data, data protection assessments, data processing agreements, and a requirement that controllers provide consumers with a privacy policy. Processors’ obligations, on the other hand, are connected to their contracts with controllers. They must “follow controllers' instructions; implement appropriate technical and organizational measures to help the controller respond to consumer rights; and provide the necessary information for controllers to comply with their data protection assessment obligations.”

The VCDPA also gives consumers several rights concerning their data, without exceptions. Virginia consumers can access, correct, delete, and obtain a copy of their personal information. They can also opt out of personal data processing.

Notably, however, the VCDPA lacks a private right of action if it is violated. Instead, exclusive enforcement of the VCDPA belongs to Virginia’s Attorney General. Ropes & Gray suggests, though, that the business-friendly nature of the VCDPA may have made it “more palatable to lawmakers, prompted its speedy enactment, and suggests a path for a federal privacy law.”

While the VCDPA moved quickly through the General Assembly with broad-based bipartisan support, there is no guarantee that national legislation will pass without impediments. Many proposed privacy bills introduced to Congress in recent years have been especially divided on issues of individual rights of action and the preemption of state law. Other states are likely to follow Virginia’s lead. The International Association of Privacy Professionals commented that “[s]tate-level momentum for comprehensive privacy bills is at an all-time high.” The National Law Review notes several states to watch as the year continues regarding promising privacy bills, including Florida, Minnesota, New York, Oklahoma, and Washington. Bloomberg Law explained that the VCDPA may encourage other states to enact their own privacy laws by providing an alternative model to the CCPA. As more states establish their own privacy laws, pressure will build on Congress to enact national privacy legislation. Until then, the expanding state legislation many expect to see following the VCDPA will continually raise the baseline of acceptability.