The Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act goes into effect on January 1, 2023. It will put in place a set of consumer rights, obligations for businesses, and penalties around consumer data privacy. With majority support from both the Virginia Senate and House, the Virginia Consumer Data Protection Act was signed into law on March 2, 2021, by Governor Ralph Northam.
With the passage of the Virginia Consumer Data Protection Act, Virginia becomes the second state in the country, following California, to legislate data privacy rights for consumers. The Virginia Consumer Data Protection Act includes concepts established in the European Union’s General Data Privacy Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and the California Privacy Rights Act of 2020 (CPRA).
Let’s jump in and learn:
- Scope of the Virginia Cscopeonsumer Data Protection Act
- Exemptions in the Virginia Consumer Data Protection Act
- Rights in the Virginia Consumer Data Protection Act
- Obligations of the Virginia Consumer Data Protection Act
- Enforcement of the Virginia Consumer Data Protection Act
- The Virginia Consumer Data Protection Act Adds Another Patch to the Global Data Privacy Quilt
Scope of the Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act is applicable to businesses that conduct business in Virginia or offer products or services targeted to residents in Virginia and control or process the data of at least 100,000 consumers or the data of at least 25,000 consumers and derive more than 50% of revenue from the sale of personal data. Consumer protections and rights apply to Virginia residents “acting only in an individual or household contexts,” excluding individuals in commercial and employment contexts.
According to the Virginia Consumer Data Protection Act, personal data is defined as any personal information that is linked or reasonably associated with an identified or identifiable natural person. The Virginia Consumer Data Protection Act does include data associated with households.
Key Roles under the Virginia Consumer Data Protection Act
When reviewing the Virginia Consumer Data Protection Act, there are numerous references to controllers and processors—those who must comply with the law. Following is an explanation of each and their roles. Note that there are situations where an entity can be a data controller, a data processor, or both.
Controllers
A controller (also called a data controller) is a business that, alone or jointly with others, determines the purposes and methods of collecting and processing personal data—basically, the why and how. If any other organization is engaged in decisions related to why and how personal data is processed, a formal agreement must be put in place, and this relationship must be disclosed to consumers.
Processors
Processors (also called data processors) are third-party organizations that process personal data on behalf of a controller and under their authority. Typical activities of data processors include offering IT solutions, such as cloud-based services. The duties of a data processor must be detailed in a contract or via another legal act. If a data processor sub-contracts any part of its task to another processor or appoints a joint processor, prior written permission by the controller is required.
Each processor’s contract with a controller must include instructions for processing data, the nature, and purpose of the consumer data processing, and the duration of the processing. It should also require that the processor:
- Commit that each person who processes personal data will be subject to a duty of confidentiality
- Cooperate with assessments of the processor’s policies and technical and organizational measures by the controller, or provide a report from a qualified, independent assessor of assessment
- Delete or return all personal data as requested at the end of the provision of services, unless retention of the personal data is required by law
- Make information available to demonstrate the processor’s compliance with the VCDPA
- Meet the obligations of the processor concerning the handling of personal data
In addition, processors must adhere to the instructions of a controller and help the controller:
- Conduct data protection assessments
- Fulfill consumer rights requests
Meet the controller’s data security and data breach notification requirements
Exemptions in the Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act has a wider range of exemptions than the CCPA/CPRA.
Among the entities that are exempt from the Virginia Consumer Data Protection Act include:
- Agencies of the state
- Certain governmental entities
- Higher education institutions
- Non-profits
- Political bodies
- Small businesses
Information subject to other federal laws is exempt from the Virginia Consumer Data Protection Act. This includes personal data that covered by regulations, such as:
- Children’s Online Privacy Protection Act (COPPA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
Also exempt from the Virginia Consumer Data Protection Act are data collected about a controller’s employees or independent contractors used in relation to their respective roles. Excepted data includes that which is required to:
- Act at a consumer’s request or for a consumer’s safety or security
- Comply with the law
- Conduct research in the public interest or internal research to improve products and services
- Credit information
- Defend legal claims
- Perform internal operations that can be reasonably anticipated by the consumer
The Virginia Consumer Data Protection Act also has carve-outs for categories of information regulated by HIPAA, including:
- Health records
- Information relating to human research subjects
- Protected Health Information (PHI)
Finally, the Virginia Consumer Data Protection Act limits secondary liability. This means that if a controller or processor discloses personal data to a third-party controller or processor and is in compliance with the Virginia Consumer Data Protection Act, it will not be found to have violated the law even if the third-party recipient violates the law (i.e., as long as the disclosing party did not know about the violation in advance).
Rights in the Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act gives Virginia consumers a number of rights to control the use of their personal information a business retains about them. Under the Virginia Consumer Data Protection Act, consumers must also be explicitly asked to consent to have a business collect or process their sensitive data.
If a consumer contacts a business to exercise any of their rights under the Virginia Consumer Data Protection Act, the business is required to respond within 45 days of receipt of the message. In the event that a business declines to act, which is permitted in certain instances, it must notify the consumer within 45 days. This notification must include the business’s justification for the decision and describe the appeal process.
If an appeal is submitted, the business has 60 days to provide a written explanation of why the appeal is being denied. Businesses must also inform consumers about how they can submit a complaint to the attorney general.
The Virginia Consumer Data Protection Act provides consumers with six central rights. In addition, consumers are afforded protection against discrimination for exercising their rights. From the business perspective, it is important to note that the Virginia Consumer Data Protection Act does not offer any exceptions to those rights. Businesses must comply with authenticated requests regardless of the impracticality or hardship of a consumer’s request.
1. Right to Access
Consumers have the right “to confirm whether or not a controller (i.e., business) is processing the consumer’s personal data and to access such personal data.”
2. Right to Correct Inaccuracies
Consumers have the right to “correct inaccuracies in their personal data,” based on the nature of the personal data and the purposes of processing it.
3. Right to Delete
Consumers have the right to “delete personal data provided by or obtained” about the consumer.
4. Right to Data Portability
Consumers have the right to “obtain a copy of the consumer’s personal data that the consumer previously provided to the controller (i.e., business)” in a portable and readily usable format, if technically possible.
5. Right to Know and Opt-Out
Consumers have the right “to confirm whether a controller (i.e., business) is processing the consumer’s personal data.” If consumers find that their personal data is being processed, they have the right to opt-out of the use of it for purposes of targeted advertising, the sale of personal data, and profiling in advancing decisions that produce legal or similarly significant effects concerning the consumer.
6. Right to Appeal
Consumers have the right to appeal a controller’s (i.e., business) denial to act within the time set forth in the Virginia Consumer Data Protection Act.
Obligations of the Virginia Consumer Data Protection Act
Consent for Processing Sensitive Data
The Virginia Consumer Data Protection Act requires businesses to obtain opt-in consent to collect or process sensitive data. To start processing personal data, businesses must consent via “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement.”
Consumer Request Process
Under the Virginia Consumer Data Protection Act, businesses must establish at least one secure channel for consumers to submit requests to exercise their rights. The approach must be secure and reliable, take into account the ways in which consumers normally interact with the business, and include a way for the business to confirm the authenticity of the consumer making the request.
Data Processing Agreements (DPAs)
The Virginia Consumer Data Protection Act requires businesses to have agreements in place with processors that “clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.”
Data Protection Assessments
The Virginia Consumer Data Protection Act requires businesses to evaluate the risks associated with processing activities as part of data protection assessments, but does not provide guidance on the frequency or on retention periods. According to the Virginia Consumer Data Protection Act, businesses must conduct these assessments for specific processing activities, including the:
- sale of personal data
- processing of personal data for purposes of targeted advertising or profiling
- processing of sensitive data, and any processing activities involving personal data that present a heightened risk of harm to consumers.
The objective of data protection assessments is to identify and weigh the benefits to the business of processing consumers’ data against potential risks to consumers. As part of the assessments, businesses should consider the use of alternatives, such as replacing personal information with de-identified, synthetic, or pseudonymous data.
Limits on Collection and Use of Data
The Virginia Consumer Data Protection Act includes a provision that limits businesses’ collection of consumers’ personal data to that which is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” Once collected, businesses may “not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer unless the controller obtains the consumer’s consent.”
Any processing of consumers’ personal data must be limited to the disclosed purposes. Any other uses beyond that require consumer consent.
Notice of Sale
If businesses sell personal data to third parties or process personal data for targeted advertising, the Virginia Consumer Data Protection Act requires that notice of this activity must be clearly and conspicuously disclosed in the privacy notice. In addition, consumers must have a way to opt-out.
Opt-Out Requirements
The Virginia Consumer Data Protection Act requires businesses to give consumers the ability to opt-out of the processing of their personal data for the purposes of targeted advertising, sale of personal data, or profiling.
Privacy Policy
The Virginia Consumer Data Protection Act requires businesses to create and share with consumers a privacy policy that must include the following information—categories of personal data processed and shared with third parties as well as information about those third parties.
Technical Safeguards
The Virginia Consumer Data Protection Act requires businesses to establish, implement and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such protections should be appropriate to the volume and nature of the personal data that is processed and retained.
Enforcement of the Virginia Consumer Data Protection Act
The Virginia attorney general has exclusive authority to enforce the Virginia Consumer Data Protection Act. When a controller or processor receives a notice of violation of the Virginia Consumer Data Protection Act, they have up to 30 days to take action. They must cure the violation and provide the attorney general with an “express written statement that the alleged violations have been cured and that no further violations shall occur.” Where reasonably necessary, a business may then extend the response deadline by an additional 45 days as long as they notify the consumer.
Failure to comply can result in civil penalties of up to $7,500 per violation. In addition, businesses can be held responsible for the reimbursement of the office’s reasonable expenses, which include attorney’s fees.
All civil penalties, expenses, and attorney’s fees collected under the Virginia Consumer Data Protection Act are paid to Virginia’s Consumer Privacy Fund. Payments made to the Consumer Privacy Fund are used to support the attorney general’s enforcement efforts.
Unlike the California Consumer Privacy Act, the Virginia Consumer Data Protection Act lacks a private right of action. The Virginia Consumer Data Protection Act explicitly precludes any class action enforcement.
The Virginia Consumer Data Protection Act Adds Another Patch to the Global Data Privacy Quilt
The Virginia Consumer Data Protection Act continues the global trend toward defining and upholding consumers’ rights regarding their personal information. Businesses should take the time to understand requirements to comply with the Virginia Consumer Data Protection Act to prevent costly penalties and illustrate their respect for customers’ desire to control personal data. In addition, experts recommend a full assessment of global data privacy regulations to develop a plan that addresses the specifics of each.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 21st March, 2022
