While many companies are still grappling with the California Consumer Privacy Act (CCPA), Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law on Tuesday, March 2, 2021. The VCDPA is only the second comprehensive state privacy law after the CCPA. The privacy bill was introduced on January 8, 2021, and it only took weeks for it to be ratified by the General Assembly, 89-9 in the House and 39-0 in the Senate. The law is expected to take effect on January 1, 2023.
The law applies to any organization that “conducts business in the Commonwealth, or services that are targeted to residents of the Commonwealth” provided the organization “during a calendar year, controls or processes personal data of at least 100,000 consumers,” or “derives more than 50% of gross revenue from the sale of personal data” and “processes or controls personal data of at least 25,000 customers.” The law does not apply to state and local government entities. Similar to the CCPA, the law also provides exceptions for information governed by federal privacy laws (e.g., Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act).
Similar to the EU’s General Data Protection Regulation (GDPR) and CCPA, organizations need to provide privacy notice to the consumer stating the purpose of processing. The definition of “personal data” is defined broadly to include any information that is linked or reasonably linkable to an identified or identifiable natural person. However, personal data does not include publicly available information and the definition of consumer excludes “a natural person acting in a commercial or employment context.” The law also provides various consumer privacy rights related to processing of personal data. The law provides consumers with the right to: (a) access; (b) correct; (c) delete; (d) opt-out; and (e) obtain a copy of personal data. The organization needs to respond to consumer requests within 45 days. The requested information should be provided free of charge, up to twice a year. Similar to CCPA, the law does not allow organizations to discriminate against consumers for exercising their rights under the law.
Similar to GDPR, the Virginia law introduces the concept of controller (“determines the purpose and means of processing personal data”) and processor (“processes personal data on behalf of a controller.”) It requires controllers to undertake data protection assessments before processing sensitive data. However, the assessment results are considered confidential and are exempted from public inspection. The law also limits the collection of information to what is reasonably necessary as it relates to the processing requirements.
Unlike CCPA, the law does not allow private right of action; in other words, the law does not allow the consumer to sue companies for his/her privacy being violated. The enforcement action is left solely to the attorney general of Virginia. Additionally, unlike CCPA, the definition of “sale” in the Virginia law “means the exchange of personal data for monetary consideration.”
Virginia is just one of many states to start 2021 with the introduction of a privacy bill. Several other states, including Washington, New York, Florida, and Illinois, have introduced their own privacy bills, leading many to continue wondering when a federal privacy law will be passed.
To ensure being ready when the VCDPA and other state laws go into effect, organizations should develop/review data inventories across all applicable products and consumer corporate functions to understand the flow of consumer personal information across business units, service providers, and third parties. Additionally, organizations should conduct a current state assessment against the new Virginia obligations to identify any compliance gaps and develop a roadmap of future activities to address compliance gaps and operationalize new requirements.