United States: Virginia Consumer Data Protection Act takes effect in 2023


Companies worldwide must comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to the personal information of Virginia consumers. With the VCDPA, Virginia follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA), but excludes employee information and business representation from its scope.


  1. Who and what information is protected?
  2. Who should comply?
  3. How to comply?

Businesses that have taken steps to comply with the CCPA may use some of their existing vendor contract terms, website disclosures, and data subject rights response processes to meet requirements under the VCDPA. However, the VCDPA has some unique requirements and guidelines that require VCDPA-specific approaches to compliance. For example, the VCDPA requires businesses to obtain opt-in consent before processing sensitive personal data and to conduct data protection assessments when processing sensitive data or performing certain activities with personal data, such as targeted advertising, marketing or profiling. Unlike the CCPA and other privacy-related laws, the VCDPA does not provide the Virginia Attorney General with rulemaking authority. Any changes to the VCDPA must be made through an amendment by the Legislature.

The VCPDA will come into force on 1 January 2023 and will not include a breach review period.

Who and what information is protected?

The VCDPA protects “consumers,” which the statute defines as Virginia residents acting on an individual or household basis. Persons acting in an employment or commercial context are expressly excluded from protection.

The VCDPA defines “personal information” as information that relates to, or is reasonably related to, an identified or identifiable individual, but does not include information that is de-identified or publicly available. Unlike the CCPA, the VCDPA does not expressly protect the personal information of households.

The VCDPA includes exemptions for certain types of data and objects. These include exemptions for entities governed by the Gramm-Leach-Bliley Act (GLBA) and certain information maintained by a public utility, employment records, health care information held by covered entities and business associates. are processed under the Health Insurance and Reporting Act. types of information already regulated under other federal laws, including the GLBA, the Family Educational Rights and Privacy Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act (COPPA).

Who should comply?

Unless an exemption applies, the VCDPA applies to “controllers” and “processors” that do business in Virginia or that intentionally sell products or services to Virginia residents and that meet one of the following criteria: the business (i) controls a person or processes. information on 100,000 or more consumers per calendar year; or (ii) controls or processes the personal information of at least 25,000 consumers and derives more than 50 percent of its total revenue from the sale of personal information.

Also Read :  Xi tells Scholz China, Germany should step up cooperation in turbulent times

A “controller” is similar to a “business” under the CCPA and is defined as a person who, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” is similar to a “service provider” under the CCPA and is defined as a person who processes personal data on behalf of a controller. To qualify as a “processor” under the VCDPA, a company must process personal data on behalf of the controller. The VCDPA requires processors to follow the instructions of the controller and to assist the controller in fulfilling the controller’s own obligations, and the two parties must enter into an agreement with certain terms set out in the VCDPA.

How to comply?

Privacy Notice. Under the VCDPA, controllers must provide privacy notices that include: (i) the categories of personal data processed by the controller; (ii) purpose of personal data processing; (iii) how consumers can exercise their rights, including the supervisor’s contact information and how the consumer can appeal the supervisor’s decision on the consumer’s request; (iv) the categories of personal information that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal information. Unlike the CCPA, the VCDPA does not expressly require that privacy notices be provided prior to collection, and they do not need to include certain elements required by the CCPA, such as information about the sources of personal information, the processes that the controller will follow to investigate requests does or provides information about financial incentives in exchange for the collection, storage or sale of personal information. However, and depending on what the business currently publishes and what it contains, many businesses can use their current privacy notices to comply with the VCDPA by updating such notices to include a statement about the right to appeal under the VCDPA. to use the controller’s decision regarding the data. subject requests.

The VCDPA also requires controllers that “sell” personal data to third parties or process personal data for targeted advertising to clearly and publicly disclose such processing, as well as how a consumer may exercise the right to opt out of such processing. Unlike the CCPA, the VCDPA’s definition of “sale” of personal information is limited to the exchange of personal information for monetary payment. The VCDPA also excludes certain types of disclosures from the “sale” of personal information, such as disclosures to a processor to process personal information for a controller, disclosures of personal information to a third party for the purpose of providing a product or service at a consumer’s request, disclosures to a controlling affiliate, disclosures of personal information to third parties in the context of a merger or similar transaction or disclosure of personal information intentionally made available by the consumer to the general public or media.

Also Read :  England vs USA: USMNT takes on England in potentially decisive World Cup meeting

Sensitive information. Unlike the CCPA, which imposes an “opt-out” regime for the processing of sensitive personal data outside of certain authorized purposes, the VCDPA requires consumers to “opt in” to the processing of their sensitive data.

The VCDPA defines “sensitive information” to mean certain prescribed categories of information, including personal information that reveals an individual’s race, ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; personal data of a known child (up to 13 years old); processing of genetic or biometric data for the purpose of identification; and accurate geographic information.

In practice, fitness trackers, delivery app services, and other businesses that provide recommendations and/or services based on a consumer’s precise location must obtain opt-in consent from users before processing such personal data. When handling children’s data, companies must obtain consent from parents or guardians in accordance with COPPA’s verifiable parental consent requirements.

Technical and organizational measures, assessment. The VCDPA requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices, and to conduct data protection assessments and documentation before performing any processing activity that presents an increased risk of harm to the consumer. The VCDPA considers processing for the purposes of targeted advertising or profiling, the sale of personal data, and the processing of sensitive data to be activities that generally increase the risk of harm to consumers.

The CCPA did not originally include such an assessment requirement, but the California Privacy Protection Agency is mandated under the CCPA to promulgate regulations requiring audits and risk assessments as well. Companies should be able to use assessments made under the VCDPA to comply with the CCPA and other US government privacy laws.

Data processing agreements. Before a processor performs any processing on behalf of a controller, the parties must enter into an agreement that includes terms similar to those in other US state privacy laws (and the GDPR), including the controller’s processing guidelines and requirements, that the processor must (1) keep personal data confidential; (2) delete or return to the controller all personal data required at the end of the provision of services, except in cases where the retention of personal data is not required by law; (3) make the information available to the controller upon request; (4) cooperate with third party evaluations; and (5) enter into similar agreements with subcontractors. Data processors must comply with controllers’ instructions and use appropriate technical and organizational measures to assist controllers in meeting their obligations under the VCDPA. Businesses should update their contracts and keep standardization in mind where possible (see Standardization of Data Processing Agreements Worldwide).

Also Read :  In closing stretch of 2022 campaign, Biden and Trump converge in Pennsylvania in possible 2024 preview

Data subject rights. According to the VCDPA, consumers have the right to know whether a controller is collecting their personal information, to access the personal information collected, to download and remove the personal information from the platform in a format that can be transmitted to another, and to correct and delete it. personal data stored in them. Consumers also have the right to opt out of the sale of their personal information or the use of their personal information for targeted advertising and certain types of profiling.

Responding to data subject rights requests. To exercise their rights, the VCDPA allows consumers to receive a response to consumer requests without delay, but in any case within 45 days of receipt of the request, after approval. Inspectors can extend this period by up to another 45 days if necessary, and the consumer will ultimately have the opportunity to appeal any decision made by the inspector through the inspector’s appeals process (which the VCDPA requires controllers to put in place). The complaint process must provide the consumer with a complaint response within 60 days and must provide the consumer with information on how to contact the Virginia Attorney General if the consumer has concerns about the outcome of any complaint. This is inconsistent with the CCPA, which does not mandate an appeals process.

Sanctions and remedies. Unlike the CCPA, no private right of action is provided by the VCDPA, but the Virginia Attorney General can appeal fines or civil penalties of up to $7,500 per violation. The Virginia Attorney General must first notify the comptroller of the violation and allow a 60-day cure period before taking enforcement action. Like the CCPA, the VCDPA creates a consumer privacy fund that supports actions by the Virginia Attorney General to enforce the VCDPA.

The content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as “Attorney Advertising” which requires notice in some jurisdictions. Previous results do not guarantee similar results. For more information, please visit: www.bakermckenzie.com/en/client-resource-disclaimer.


Leave a Reply

Your email address will not be published.

Related Articles

Back to top button