The Virginia Consumer Data Protection Act (VCDPA) explained: key points and implications

The United States does not yet have a federal privacy law, but led initially by California, more states are enacting their own data privacy laws.

Virginia was the second state to pass a privacy act from HB 2307 with the Virginia Consumer Data Protection Act (VCDPA). Virginia’s privacy law takes some influence from the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). In turn it has influenced other state laws like the Connecticut Data Privacy Act (CTDPA) and Utah Consumer Privacy Act (UCPA).

Read on to get answers to these questions and much more:

• What and who does the VCDPA cover?
• What does the VCDPA mean for businesses?
• What rights do consumers have under the Virginia data privacy law?
• What are the penalties for noncompliance with the VCDPA?

The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021, and came into effect on January 1st, 2023, the same day as California’s Consumer Privacy Rights Act (CPRA), that state’s second data privacy law.

The VCDPA is a comprehensive state-level privacy legislation that protects personal data belonging to the 8.7 million residents of Virginia. The VCDPA governs the collection and processing of consumers’ data, including their consent to — or opting out of — its use and requests relating to consumers’ privacy rights.

The VCDPA affects for-profit companies that do business in Virginia, or that produce products or services targeted to residents of Virginia, if they:

• control or process personal data of 100,000 or more consumers during a calendar year

or

• control or process personal data of 25,000 or more consumers and derive over 50% of their gross revenue from the sale of that personal data

Companies that meet these requirements do not have to be headquartered in the state for the Virginia privacy law to apply, as the law is extraterritorial.

The following types of businesses do not have to comply with the VCDPA:

• bodies, authorities, boards, bureaus, commissions, districts, or agencies of the Commonwealth of Virginia or political subdivision of the Commonwealth
• financial institutions or data that are subject to Title V of the federal Gramm-Leach-Bliley Act (which requires companies to safeguard consumers’ sensitive data and explain their information-sharing practices)
• covered entities or business associates governed by the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPAA)
• non-profit organizations
• institutions of higher learning

The Virginia data privacy law defines various key terms that explain who the law impacts and what activities fall under its ambit.

Controller under the VCDPA means the “natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.”

Closely tied to the controller is the processor, defined as “a natural or legal entity that processes personal data on behalf of a controller.” A controller may do their own data processing or a third party, like a vendor or service provider, may act as the processor and do it for them. Such a relationship includes data safeguards and contractual requirements under the VCDPA.

Another key definition in the VCDPA is that of processing, which refers to what is being done with or to consumers’ data once collected. The law defines it as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”

A consumer under the Virginia privacy law is defined as: “a natural person who is a resident of the Commonwealth of Virginia acting only in an individual or household context.” This definition specifically excludes a natural person acting in a commercial or employment context.

Sale is defined as “the exchange of personal data for monetary consideration by the controller to a third party.”

Like Utah’s law, this definition excludes “other valuable consideration” options as a sale, as well as these types of transactions that disclose personal data:

• to a processor working on behalf of the controller
• to a third party as part of a merger, acquisition, bankruptcy, or other transaction
• to a third party to provide a product or service that the consumer has requested
• to an affiliate of the controller
• that the consumer intentionally made public without restriction (e.g. social media with minimal or no privacy settings engaged)

The VCDPA defines targeted advertising as the display of ads to a consumer based on their personal data collected from their “activities over time and across non-affiliated websites or online applications to predict such consumer’s preferences or interests.”

The law excludes:

• ads where the data used to select the ad is obtained from the consumer’s behavior on the controller’s site or app itself
• ads that are contextually relevant to the consumer’s current search query, visit to a website, or online application
• ads displayed to a consumer in response to the consumer’s request for information or feedback
• processing of personal data solely for the purpose of measuring or reporting advertising performance, reach, or frequency

Profiling under the law means “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

This definition encompasses a wide range of activities that could be used to build profiles of individuals and make decisions based on those profiles.

The definition of consent under the VCDPA is similar to that under the General Data Protection Regulation (GDPR), as that regulation’s definition has been globally influential in laws relating to data privacy and/or protection.

Virginia’s data privacy law defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

Virginia’s law operates primarily on an opt-out basis, which means that businesses are not typically required to obtain consent before processing consumer data. However, there are specific circumstances outlined in the VCDPA where businesses must obtain prior opt-in consent:

• If the stated purpose for data processing changes
• the data is categorized as sensitive
• the data is that of a known child (under age 13)

Modern privacy laws typically have consistent definitions of what constitutes personal data or information, but there are a number of variations at the granular level. See Personally Identifiable Information (PII) vs. Personal Data – What’s the difference for an in-depth breakdown. There’s also linked vs. linkable personal information, definitions that depend on how many combined data points are needed to establish an individual’s identity.

Personal data under the Virginia data privacy law means “any information that is linked or reasonably linkable to an identified or identifiable natural person.” It specifically excludes de-identified data or publicly available information.

Organizations can collect and process personal data in most cases without consumers’ prior consent, but consumers must have the option to opt out of its sale or use for targeted advertising or profiling at any time.

Under Virginia’s privacy law, the following categories qualify as sensitive personal data, requiring prior consent from the data subject before processing:

• collected from a known child under the age of 13 – consent to process this data must come from a parent or legal guardian, in line with the requirements of the Children’s Online Privacy Protection Act (COPPA)
• genetic or biometric data, if processed for the purpose of identifying an individual
• precise geolocation data (to within a radius of 1,750 feet / 533.4 metres)
• citizenship or immigration status
• racial or ethnic origin
• religious beliefs
• sexual orientation or activities
• health diagnosis (mental or physical)

Not all processed consumer data is subject to the VCDPA, and exemptions can be full or partial. In addition to de-identified and publicly available data, exemptions include personal data that is:

• regulated by existing laws, including:
  • consumer credit check information under the Fair Credit Reporting Act (FCRA)
  • student data regulated by the Family Educational Rights and Privacy Act (FERPA)
  • Driver’s Privacy Protection Act
  • Farm Credit Act
  • patient and health information, as well as covered entities and business associates, governed by the Health Insurance Portability and Accountability Act (HIPAA) and other laws
• from employees, independent contractors, and applicants, including data collected and used in the context of those roles

In this way Virginia’s privacy law differs a fair bit from the California laws and the GDPR, as they have fewer specific exemptions based on existing laws of more limited scope. These exemptions are, however, similar to those of Utah, Connecticut and Colorado and some other states’ laws.

The VCDPA gives consumers several key rights:

• Right to access: confirm whether or not the controller is processing the consumer’s personal data and access such data, with exceptions
• Right to correction: any inaccuracies in the information the controller has, taking into account the nature of the personal data and processing purposes
• Right to delete: any personal data provided by, or obtained about, the consumer, with exceptions
• Right to portability: obtain a copy of the consumer’s personal data processed by the controller, in a portable and reasonable readily usable format, where processing is carried out by automated means, with exceptions
• Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
• Right to opt out: of processing of personal data for the purposes of sale, targeted advertising, or profiling “in furtherance of decisions that produce legal or similarly significant effects concerning the consumer”

Ensuring that these rights are addressed in a company’s compliance efforts goes a long way to answering the question of “How can I make sure that my business is compliant with the VCDPA?”

Companies have to notify consumers about their rights as well as how to exercise them. This is commonly done with contact information supplied in the privacy policy page or similar on the website. However, for alleged violations or similar complaints, consumers will have to contact the Virginia Attorney General’s office, which handles investigations. Under the VCDPA, there is no private right of action, which means that consumers cannot sue companies (or controllers) for alleged violations of the VCDPA. To date only California has provided this right.

Under Virginia’s data privacy law, consumers do not have to be separately or explicitly notified when data is collected, unless it’s classified as “sensitive”, which differs from the California laws. When companies don’t need to obtain consent, for example, they can be compliant with VCDPA requirements for notification with information posted to their website, like in the privacy policy, and by providing a clear and accessible mechanism to opt out of data processing.

Organizations that are required to comply with the provisions of the Virginia data privacy law must fulfill certain requirements based on whether they are a controller or a processor.

The duties of controllers under the VCDPA are as follows.

• Set up and maintain administrative, technical, and physical data security practices that are reasonable and appropriate to the amount and types of personal data processed in order to protect confidentiality, integrity and accessibility of personal data.
• Respond to consumer requests regarding their data within 45 days of receipt of the request. In some cases the response period can be extended by an additional 45 days, but the consumer has to be notified of the need to extend the response period, and the reason for it.
• Set up a process for consumers to appeal refusal by the controller to take action on consumer requests.
• Limit collection of consumers’ personal data to what is “adequate, relevant, and reasonably necessary” for the purposes that the data is being processed, as disclosed to consumers.
• Not process personal data for purposes other than those disclosed to consumers, and that are not reasonably necessary nor compatible with previously disclosed purposes, unless consumer consent has been obtained, and with certain exceptions.
• Not discriminate against consumers by processing personal data in violation of relevant state and federal laws.
• Ensure that agreements with processors do not purport to waive or limit in any way consumer rights.
• Notify the consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
  • categories of personal data processed by the controller
  • purpose for processing personal data
  • how consumers can exercise their rights, including appeal proceedings
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties if any, with whom the controller shares personal data
• Clearly and conspicuously disclose processing if it sells personal data to third parties or processes personal data for targeted advertising or profiling, as well as the manner in which a consumer may exercise the right to opt out of these sales or uses.
• Establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their rights.

Regarding de-identified (anonymized) data, under the VCDPA controllers have several protective duties:

• to take reasonable measures to ensure it can’t be associated with an individual (natural person)
• to commit publicly to abstaining from attempting to re-identify the data
• to contractually obligate recipients of de-identified data to comply with VCDPA requirements.

Controllers also need to have reasonable security practices to protect “confidentiality, integrity and accessibility of personal data”, and communicate to consumers what these practices are.

Information that controllers provide in response to a consumer request must be provided at no cost, up to twice each year for each consumer.

Under Virginia’s privacy law, while controllers have responsibilities to consumers, they also need to have contractual agreements with processors. This is similar to requirements under the GDPR to ensure that only necessary data is processed, and only those who need access to the data have it. Additionally, processors must also be properly trained in data handling and security.

A data processing agreement between a controller and processor should cover:

• the rights and obligations of both parties
• instructions for processing data
• types of data to be processed
• nature and purpose of processing
• duration of processing

Any agreement should also ensure that the processor:

• ensures that each person processing personal data is subject to a duty of confidentiality regarding the data
• upon reasonable request provides all information in its possession to demonstrate compliance with its obligations
• at the controller’s direction, returns or deletes all personal data once services provided are completed (unless retention is required by law)
• cooperates with the controller’s or controller’s designated assessors’ assessments of the processor’s policies and organizational or technical measures for compliance
• engages with subcontractors, which meet the obligations of the processor with respect to the personal data in a written form.

In addition to the requirements under the agreement, the VCDPA also lays out several obligations of processors towards controllers.

Processors must follow the instructions of the controller and assist the controller in meeting its duties under the VCDPA. The duties of processors under the law are:

• to use appropriate technical and organizational measures to help the controller respond to consumer requests regarding their rights
• to assist the controller in maintaining the security of the personal data and notifying the controller if there is a breach of security
• to provide necessary information to help the controller conduct and document assessments of the data protection measures in place.

The processor must support the controller in managing and protecting the personal data in their care, ensuring that the data is handled in compliance with Virginia’s data privacy law and that consumer rights are respected. If the Attorney General’s office starts an investigation, processors are also required to cooperate with any inquiries.

Controllers must conduct and document a Data Protection Assessment (DPA) when any of the criteria listed below take place:

• sale of personal data
• processing of sensitive data
• processing of personal data presenting a heightened risk of harm to consumers
• processing for targeted advertising purposes
• profiling, if there is a reasonable risk of harm to the consumer

A DPA is often also referred to as a Data Protection Impact Assessment (DPIA), which is what it’s called under the GDPR, for which it is also a requirement. It identifies and weighs the benefits and risks of personal data processing for the controller, consumer, other stakeholders, and the public more broadly. The risks, it should be noted, are mainly for affected consumers. A DPA also includes safeguards to mitigate identified risks to processing the data.

The Virginia Attorney General may, pursuant to a civil investigative demand, request that a controller disclose a DPA, and the controller must comply.

Controllers are also responsible for having a privacy notice, e.g. on a privacy policy page, under the VCDPA, which needs to be in clear language, prominently displayed and accessible, and include:

• categories of personal data the controller will process
• categories of personal data the controller shares with third parties, if any
• categories of third parties with whom the controller will share personal data, if any
• purpose of the data processing
• disclosure regarding data processing for sale, targeted advertising purposes, or profiling, and instructions to enable consumers to opt out

Controllers also need to provide means by which consumers can exercise their rights under Virginia’s data privacy law (including the appeals process) and communicate with the controller. These means need to be “secure and reliable” and have to take into account ways in which the controller and consumers normally interact. Using a link on a website would be reasonable, for example, but a long, bureaucratic process would not.

Controllers also need to be able to reasonably authenticate consumers’ identities if they make requests, and can deny requests if they are not able to do so. Controllers also can’t require consumers to create new accounts in order to make those requests, but can require them to login to an existing account, which helps facilitate verification.

For any complaints regarding alleged violations of the VCDPA, consumers must contact the Virginia Attorney General’s office, which will have responsibility for investigating complaints and other allegations of violations, and instituting civil actions. Consumers do not have a private right of action under Virginia’s data privacy law, so cannot sue companies for alleged or proven violations.

Violations of the VCDPA can result in fines up to USD 7,500 per violation. This is consistent with fines under the California and Utah laws, though potentially much less than the fines that can be levied under the GDPR, which can be up to EU 10 million or 2% of global annual revenue for the first tier of violations and penalties, or EU 20 million or 4% of annual revenue for second tier, which includes repeated or more egregious violations.

The Attorney General has to provide companies with 30 days’ notice of a violation and “opportunity to cure”, which means to correct issues that led to the violation, and possible recurrence of the violation, before fines can be levied.

Outside of official penalties, however, companies accused of breaches or other violations can lose considerable brand reputation, affecting customer acquisition, retention, and revenues.

Like the other state-level data privacy laws in the US, the VCDPA uses an opt-out model where prior consent is not needed in most cases, rather than an opt-in model like the EU’s GDPR. This provides more access to data, and, in many cases, fewer restrictions on its use. Like pretty much all privacy laws, the VCDPA does require easily accessible notification for consumers about data collected, its purposes, entities it may be shared with, how to exercise consumers’ rights, etc.

The threshold for which organizations must comply also differs from the California laws in that a company’s gross annual revenue is not a criterion on its own, and gross revenue from the sale of personal data is tied to a threshold number of consumers (25,000 or more). Under some other laws, the revenue threshold only requires earning at least half of their annual revenue from the sale of personal data, but there isn’t a threshold number of consumers tied to it. More recently, US state-level data privacy laws passed in 2023 and 2024 have not included a revenue-only threshold at all.

Like all of the state-level laws except California, Virginia’s privacy law is in its first version and is expected to be amended over time once lawmakers see how it is working and where there are issues. Changes in data sources, technology, and other concerns will also likely have an influence. It is not known exactly how it would affect state-level laws if a federal data protection law is eventually passed in the US, though it would supersede state-level laws in at least some ways, and there would likely be more centralized enforcement.

Compliance with a single law, rather than potentially 50+ state- and territory-level laws would certainly be much more straightforward for entities doing business in and around the United States. One federal-level influence already in place is that the VCDPA, along with a number of the other state-level laws, “outsources” requirements regarding data privacy and processing of children’s data to the Children’s Online Privacy Protection Act (COPPA).

Additionally, considerations for financial, healthcare, and other data come under the purview of several other federal laws, like HIPAA and the GLBA.

The VCDPA does not enable consumers to sue companies in the event of an alleged breach or violation, so enforcement is limited to the actions of the Virginia Attorney General. This is similar to all the other US state-level laws to date except California’s. The VCDPA does explicitly outline amounts for fines, though several state-level laws had omitted that, putting it under requirements of another existing state-level law, like those governing consumer protection and trade practices.

The Virginia data privacy law has more limitations in its scope than the California laws or GDPR, particularly regarding VCDPA compliance with existing laws at varying levels. Not limiting processing of consumers’ personal data for operations “reasonably aligned with the expectations of the consumer”, also leaves a fair bit of room for interpretation.

Under the VCDPA controllers do not have to provide a “clear and conspicuous link” to enable consumers to opt out of the sale of their data, commonly referred to as a “Do Not Sell” button, as is required in California and some other states.

Controllers and processors do, however, have the comply with the following:

• processing for certain business purposes, e.g. product recalls
• federal, state, and local laws and regulations
• criminal, civil, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities
• investigation of, preparation for, or defense against legal claims
• cooperation with law enforcement agencies regarding conduct or activities that processors reasonably believe may violate federal, state, and local laws and regulations
• provide a product or service, perform a contract to which the customer is a party, or take steps as specifically requested by the consumer prior to entering into a contract
• respond to security issues or potential illegal activity
• take immediate steps for the life and safety of individuals
• conducting research in public interest (under certain conditions)

For companies already working to comply with, or in compliance with the CCPA/CPRA or even GDPR, VCDPA compliance should require a limited amount of work. Like Utah’s Consumer Privacy Act (UCPA), Virginia’s Attorney General has referred to the VCDPA as a work in progress. Amendments over time are likely, especially given that the law mandates a working group to review it and implementation issues.

The Virginia Consumer Data Protection Act provides a number of new consumer rights, as well as companies’ requirements for notification and circumstances under which consent must be obtained before collecting and processing data. Seeking expert legal advice is recommended to determine your organization’s potential responsibilities and actions needed to ensure VCDPA privacy compliance. Proactive efforts to protect user privacy are also always a good idea to help build user trust and secure high quality data for marketing operations.

Consult one of our experts to help ensure your company’s data compliance and happy customers.