Articles

Client Alert: Virginia Privacy Law Takes Effect January 1, 2023

New Rights for Consumers, New Obligations for Businesses

Date: July 25, 2022
With the passage of the Virginia Consumer Data Protection Act (Va. Code Ann. §§ 59.1-575 to 59.1-585) (“VCDPA”) on March 2, 2021, Virginia residents now have certain rights regarding their personal information, while business entities conducting business in Virginia may have new and additional data collection and protection obligations, if they meet certain jurisdictional thresholds.  
 
VCDPA will become effective on January 1, 2023.  As a result, organizations conducting business in Virginia may need to review their data collection and processing obligations for applicability of the VCDPA, and in preparation for the VCDPA taking effect.
 
This brief article is intended to highlight certain key requirements of the VCDPA.
 
Businesses Covered by the VCDPA
 
VCDPA applies to all entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that, during a calendar year, (1) control or process personal data of at least 100,000 Virginia residents, or (2) control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.  Borrowing from the European Union General Data Protection Regulation, the VCDPA in turn employs the “controller” and “processor” terminology to designate a covered business and any subcontractor or subprocessor, respectively, where the services provided by a processor broadly contemplate or include the collection, use, storage, disclosure, analysis, or deletion of personal data.
 
Notably, the VCDPA applies only to personal data of a Virginia resident acting in an individual or household context, and excludes personal data of a natural person acting in a commercial or employment context.
 
There are other notable exemptions under the VCPA.  For example, the VCDPA does not apply to state government entities, nonprofit organizations, institutions of higher education, financial institutions subject to Title V of Gramm-Leach-Bliley Act, and covered entities or business associates subject to HIPAA and the HITECH Act.  In addition, 14 specific categories of data under other laws and regulations are exempt. 
 
Consumer Rights under the VCDPA
 
Businesses that have changed the way they process personal information and adopted new or revised privacy policies to comply with the requirements of the California Consumer Privacy Act (the “CCPA”) will recognize similar consumer rights and business duties under the VCDPA.  However, important differences remain for each of the consumer rights available under both the CCPA and the VCDPA, and a careful review of each regulation is warranted to ensure that the processes for responding and handling any individual data requests are compliant with both the CCPA and the VCDPA.  Generally, the VCDPA includes the following consumer rights:  
 
  • The right to know and confirm whether a controller is processing the consumer’s personal data, and to access the data;
  • The right to correct inaccuracies in the consumer’s personal data;
  • The right to delete personal data of the consumer, subject to a number of exceptions in each case;
  • The right to obtain a copy of the personal data, in a readily usable format;
 
More significant differences emerge between the CCPA and the VCDPA with respect to the consumer opt-out rights, with the following opt-out rights currently available under the VCDPA:
 
  • The right to opt out of the processing of personal data for targeted advertising purposes;
  • The right to opt out of the sale of personal data; and
  • The right to opt out of profiling based upon personal data.
 
As with the opt-out rights, the VCDPA also differs from the CCPA in instances where a consumer consent is required for certain data collection or processing, with the VCDPA requiring consent before a controller can collect and process a consumer’s sensitive data (as further defined in the VCDPA). 
 
Contractual Clauses; Data Security and Processing Obligations
 
Like the CCPA, the VCDPA requires that controllers and processors employ certain contractual obligations in their respective agreements, where the services broadly contemplate or may include the collection, use, storage, disclosure, analysis, or deletion of personal data.
 
These data processing agreements or provisions under the VCDPA must clearly set forth instructions for processing of data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the general rights and obligations of both parties.  The contract or the applicable contract terms must also generally address the confidentiality obligations of the parties, the deletion or return of personal data upon expiration or termination, and certain audit and compliance assessment obligations. 
 
Separately, the VCDPA imposes on controllers a number of somewhat related processing obligations.  The first of these, generally recognized as a data minimization principle, requires controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary.  Unless the controller has obtained consumer consent, a controller is prohibited from processing personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed.  In turn, having a current and comprehensive privacy policy that clearly identifies the categories of personal data processed by the controller and the related processing purpose(s) will significantly mitigate the risks associated with secondary yet undisclosed collection purposes. 
 
The VCDPA also imposes on controllers an obligation to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data, as appropriate to the volume and nature of the personal data at issue.  Controllers are also required to conduct and document a data protection assessment for each of the following processing activities involving personal data:
 
  • Targeted advertising;
  • Sale of personal data;
  • Profiling in certain circumstances;
  • Processing of sensitive data; and
  • Processing activities that present a heightened risk of harm to consumers.
 
The frequency of such assessments is not specified in the VCDPA.  In addition to other requirements for the data protection assessments, the VCDPA provides that, pursuant to a civil investigative demand, the Attorney General may request and evaluate a controller’s data protection assessment for compliance. 
 
Overall, the Attorney General is granted exclusive authority to enforce the provisions of the VCDPA, as the VCDPA does not contain any private right of action.
 
****
Like all comprehensive privacy laws, the VCDPA will significantly impact the personal data processing activities, data security measures, privacy policies, and contractual obligations of controllers and processors subject to the VCDPA.  In addition, while the VCDPA grants enforcement rights to the Virginia Attorney General, it does not provide for further rulemaking or regulation adoption by the Virginia Attorney General office.  As such, any amendments will come through the legislative process, which should be carefully monitored for any potential changes that may be applicable to your organization.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.