The Virginia Consumer Data Protection Act (VCDPA) was the second comprehensive consumer privacy law passed in the United States. Commercial organizations that conduct business in Virginia and process consumer data will be the most affected by the VCDPA.
Learn how UpGuard’s comprehensive cybersecurity solution can help your business remain compliant>
What is the Virginia Consumer Data Protection Act (VCDPA)?
The VCDPA grants several consumer rights to residents of Virginia, including the right to access their data and the right to opt out of the sale of their data for targeted advertising. The law also outlines regulations related to sensitive data, de-identified data, and data protection assessments.
To be subject to the law, entities conducting business in Virginia must meet one of two data processing thresholds:
- Process or control the personal data of 100,000 or more consumers in a calendar year, or
- Process or control the personal data of 25,000 or more consumers while obtaining over 50% of gross revenue from the sale of data
Important note: Entities that target Virginia residents to sell products or services are also subject to the VCDPA if they meet one of the two processing thresholds.
VCDPA Effective Date
The VCDPA took effect on January 1, 2023, following the California Consumer Privacy Act (CCPA).
Virginia Privacy Law: What Rights Does it Grant to Consumers?
The VCDPA provides consumers with these rights:
- The right to know if a controller is processing data
- The right to access processed data
- The right to delete collected personal data
- The right to correct inaccuracies in collected data
- The right to obtain a portable copy of collected data in a readily usable format
- The right to opt out of the processing of personal data for the purposes of targeted advertising, profiling, or sale of personal data
What Types of Data Are Exempt From the Virginia Data Privacy Law?
The VCDPA provides exemptions for several data categories subject to federal laws and other regulatory statutes enacted before the act’s formation.
The following categories of personal data are exempt from the VCDPA:
- Healthcare and insurance information subject to the Health Insurance Portability and Accountability Act (HIPAA)
- Financial information subject to the Fair Credit Reporting Act
- Motor vehicle information subject to the Driver’s Privacy Protection Act
- Education information subject to the Family Educational Rights and Privacy Act (FERPA)
What Businesses Are Exempt From the VCDPA?
While the VCDPA does provide strict data privacy legislation for entities that process a large amount of personal data, the law also outlines exemptions for several types of businesses.
The following organizations are exempt from the regulations set forth by the VCDPA:
- Sections of the Virginia government, including any body, authority, agency, commission, or other groups
- Institutions of higher education
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Institutions governed by HIPAA
- Nonprofit organizations
Controllers vs. Processors
The VCDPA explicitly distinguishes between the requirements data controllers and data processors must follow to achieve compliance and protect a consumer’s personal data. The act also lays out definitive definitions for controllers and processors.
Controllers
Virginia law defines controllers as any entity, individual, or collection of individuals that determines how, when, or why consumer data is processed.
Controller Obligations
Under the VCDPA, controllers must follow the following regulations:
- Practice data minimization by only collecting personal data that is reasonably necessary and relevant
- Ensure the confidentiality, integrity, and accessibility of personal data protection by implementing and maintaining adequate data security practices
- Establish a system consumers can access to submit requests and exercise their rights granted under the law
- Promptly assess, authenticate, and process any applicable consumer requests that are received
- Promptly disclose the sale of personal data to any third party and provide customers a means to opt out of such processing
- Provide consumers with a clear and meaningful privacy notice that details what types of personal data the controller is collecting, how a processor will use this data, and how this data can be accessed
Controller Restrictions
The VCDPA restricts controllers from:
- Processing data for purposes other than the disclosed purposes previously presented to the consumer
- Processing sensitive data without consumer consent
- Taking discriminatory action against a consumer for exercising their rights
- Limiting consumer rights in any way
Processors
The VCDPA defines processors as any entity, individual, or collection of individuals that processes data on behalf of a controller.
Processor Obligations
The VCDPA requires processors to follow all data processing instructions the controller sets. Data processors are obligated to help controllers achieve obligations. The act also requires all data controllers and processors to draft and sign a data processing agreement before processing any consumer data.
Data Processing Agreements
Data processing agreements mandated by the VCDPA must outline what types of data should be processed, the intent behind processing data, the duration of processing, and the obligations of both parties throughout processing.
The contract must require the data processor to:
- Ensure each processor is subject to confidentiality
- Provide the controller with all available information and data the processor has in its possession, if requested by the controller
- Delete or return all personal data to the controller, if requested by the controller and permitted by law
- Cooperate with reasonable data protection assessments to ensure compliance under the VCDPA
- Hold any subcontractor or business associate who conducts processing activities to the exact requirements that govern the processor
How is the VCDPA Enforced?
The Virginia Attorney General’s office and the state’s office of district attorneys have the sole right to enforce the VCDPA. In the event of a violation, the attorney general or district attorney’s office must provide the controller or processor with written notice. The notice must outline what sections of the law the controller or processor violated and give the controller or processor 30 days to remedy the breach, if possible.
If a controller or processor still violates the law after the 30-day cure period, the attorney general may initiate an action against the entity and pursue an injunction. Controllers or processors violating the VCDPA may incur civil penalties of up to $7,500 per individual consumer affected.
Important note: Under the VCDPA, there is no private right of action. Therefore, consumers cannot take legal action against a controller or processor.
VCDPA Website Compliance: Glossary of Important Terms
Under the VCDPA, Virginia defines several essential terms that outline who is considered a covered entity and the types of data protected under the law.
Consumer
The VCDPA explicitly protects the rights of consumers (any identifiable natural person who is a resident of Virginia acting in an individual or household context).
Important note: The VCDPA does not protect the rights of consumers acting in a commercial context or on behalf of an employer.
Personal Data
The VCDPA defines personal data as any linked data that can identify an individual. The VCDPA does not classify de-identified data or public information as personal data.
VCDPA Sensitive Data
The VCDPA also carries a definition for sensitive data. The law defines sensitive data as any personal data that reveals an individual’s:
- Racial or ethnic origin
- Religious beliefs or sexual orientation
- Mental or physical health
- Citizenship or immigration status
- Genetic or biometric data
- Precise geolocation data, or
- The personal data of a known child
Important Note: Businesses that process sensitive data are subject to additional regulations and requirements. Under the VCDPA, all entities must have consumer consent before collecting or processing sensitive data. These entities are also subject to data protection assessments.
Processing
Virginia defines the processing of personal data as any operation or collection of functions that utilizes personal data to complete the process. Processing activities include the following procedures:
- The collection of data
- The use of data
- The storage of data
- The analysis of data
- The deletion of data, or
- The modification of data
Targeted Advertising
Targeted advertising consists of advertisements directly displayed to a consumer based on predictions from previously collected data. The VCDPA’s definition includes advertisements that respond to a consumer’s prior activity or preferences gathered from a nonaffiliated website. The act grants consumers the right to opt out of target advertising.
Selling Data
The VCDPA defines the sale of personal data as the exchange of personal data for monetary consideration. This exchange commonly occurs between a controller and processor but can also occur between one processor to another. Consumers have the right to opt out of the sale of their data.
Profiling
Consumer profiling includes any form of automated data processing used to evaluate, analyze, or predict characteristics of an identifiable individual. The VCDPA’s definition of profiling includes processes used to predict an individual’s:
- Economic status
- Health
- Personal preferences
- Location
Virginia consumers have the right to opt out of profiling.
VCDPA Cookie Consent
The VCDPA defines consumer consent as a clear affirmative act that indicates a consumer’s agreement to the processing of personal data related to the consumer. A statement of consent can be any unambiguous written statement, including electronic messages.
Virginia Privacy Law vs CCPA
Being the first two comprehensive privacy protection acts enacted in the United States, the CCPA and VCDPA are often compared, and the two laws are different in many ways:
- The VCDPA clearly defines who’s personal data is protected (consumers residents of Virginia acting in an individual or household context). At the same time, the CCPA has had several amendments, including the California Privacy Rights Act (CPRA), issued to define its scope further.
- The CCPA gives consumers the right to private action, whereas the VCDPA does not.
- The CCPA gives businesses an annual gross revenue threshold, whereas the VCDPA does not.
Data Privacy Laws Around the United States
The rise of data privacy legislation across the United States correlates to the European Union’s General Data Protection Regulation (GDPR). The United States has followed the EU’s footsteps and passed several comprehensive laws to safeguard consumer privacy rights.
The following U.S. states have passed comprehensive privacy legislation:
Connecticut (CTDPA)
Florida (FDBR)
Indiana (INCDPA)
Iowa (ICDPA)
Montana (MTCDPA)
Tennessee (TIPA)
Utah (UCPA)
Virginia (CDPA)
How Can UpGuard Help Your Organization Achieve VCDPA Compliance?
UpGuard’s Vendor Risk Technology enables businesses to automate compliance risk assessments, receive real-time updates to their security posture, and manage VCDPA compliance across their entire supply chain.
UpGuard’s BreachSight technology allows businesses to assess their data handling process in accordance with VCDPA requirements. The technology also allows businesses to monitor their attack surface around the clock, gain confidence in their cybersecurity protections, and proactively protect their organization’s reputation.
