If your website is accessible to Virginia-based individuals or your business operates in Virginia, you will likely be subject to the new requirements under the newly enacted Virginia Consumer Data Protection Act 2021.
In this guide, we help you understand your obligations under this new law and provide practical tips on how you can comply with the Virginia Consumer Data Protection Act, also known as Virginia's CDPA or VCDPA for short.
What about other U.S. states? To learn more about the big picture of data privacy in the United States and access our updated map and law tracker, head to our dedicated blog post:
{{us-map-link}}
The Virginia Consumer Data Protection Act in a nutshell
Passed by the Virginia attorney general on March 2, 2021, the Virginia Consumer Data Protection Act (VCDPA) was enacted to give consumers greater transparency and control over their personal information.
Inspired by the California Consumer Privacy Act (CCPA), the VCDPA covers similar obligations and it equips consumers with similar rights.
The VCDPA came into force on January 1, 2023. Therefore, it's important that businesses subject to the new law comply with its requirements immediately.
Does the Virginia Consumer Data Protection Act (VCDPA) apply to you?
You will be subject to the CDPA If the following two conditions are fulfilled together:
Condition 1: Your organization conducts business in Virginia or produces products or services that are targeted to Virginia residents.
Condition 2: You fulfill one of the following thresholds related to the processing of personal data, meaning that you either:
- Control or process the personal data of at least 100,000 consumers during a calendar year.
- Control or process the personal data of at least 25,000 consumers and derive at least 50% of your gross revenue from the sale of personal data.
If you are already familiar with the CCPA, you will realize a key difference here: The VCDPA does not determine any financial thresholds for the applicability of the Law to an organization. This means that there is no distinction between big and small businesses when it comes to the scope of the law.
Material scope of the Virginia Consumer Data Protection Act
The CDPA applies to you when you collect and process the personal data of Virginia consumers. “Consumer” is defined as “a natural person who is a resident of the Commonwealth acting only in an individual or household context.”
In other words, you will not have to consider the applicability threshold when you collect and process Virginia consumers’ data in an employment or commercial context.
Territorial scope of the Virginia Consumer Data Protection Act
The CDPA does not distinguish between Virginia-based organizations and foreign entities. Therefore, your organization will have to comply with the CDPA even if it is not located in Virginia.
How about public information under the Virginia Consumer Data Protection Act?
De-identified data and publicly available information are excluded from the scope of the CDPA. The following categories of data fall under the definition of “publicly available information”:
- "Information that is lawfully made available through federal, state, or local government records."
- "information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience”
For example, a consumer’s publicly available social media accounts may fall under this definition and be excluded from the scope of the Virginia Consumer Data Protection Act. In this case, you will not take into account such data when you calculate the applicability threshold.
Who is exempted from complying with the Virginia Consumer Data Protection Act (VCDPA)?
The CDPA automatically excludes certain organizations from its scope. Even if an organization fulfills the thresholds set out by the CDPA, it will not be subject to the CDPA if it falls under any of the following categories:
- A body, authority, board, bureau, commission, district, Virginian agency, or any Virginian political subdivision.
- Any financial institution or data subject to the Gramm-Leach-Bliley Act.
- A covered entity or business subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.
- A nonprofit organization.
- An institution of higher education.
What data is exempt from the Virginia Consumer Data Protection Act (VCDPA)?
Alongside the entity-level exemption we explained above, the CDPA also introduces a data-level exemption; putting certain data categories outside the applicability of the Law.
When you collect and process 14 types of personal data, you will not have to comply with the CDPA. Some of these data categories include, but are not limited to:
- Job applicant data,
- Data regulated by the Fair Credit Reporting Act
- Data regulated by the Family Educational Rights and Privacy Act
Key requirements of the Virginia Consumer Data Protection Act (VCDPA)
If your business is subject to the VCDPA, you need to comply with the following key obligations when processing data of Virginia consumers. However, please note that there may be other obligations to fulfill.
- Adhering to the data limitation principle: The VCDPA requires that you only collect personal data if data collection is "adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed."
- Obtaining consent for secondary use of personal data: The VCDPA imposes restrictions on the use of personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes for which such personal data is processed.
If you decide to process personal data for a purpose that is incompatible with the original purpose, you need to obtain consent from the individual. For example, you may collect data related to the purchase history of your customers.
If you decide to use purchase history data for profiling or advertising purposes, you may need consent from data subjects. - Obtaining consent for the collection of sensitive data: Under the CDPA, the collection of sensitive data is prohibited unless you obtain the consent of the individuals.
Some examples of sensitive data are personal data revealing racial or ethnic origin, personal data related to a mental or physical health diagnosis, and precise geolocation data. Genetic or biometric data is also sensitive data. - Designing and implementing physical data security practices: Similarly to the GDPR, the VCDPA requires businesses to "establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data."
- Carrying out data protection assessments: The VCDPA lists specific data processing activities that require businesses to conduct data protection assessments. These include the use of personal data for targeted advertising and the sale of personal data.
- Creating a privacy policy: Just like the GDPR, the CDPA puts transparency at the forefront and requires businesses to implement a privacy policy that explains the following:
- The categories of personal data that are collected and processed
- The purposes for the collection and use of personal data
- How consumers can exercise their rights such as data access and deletion
- What data is shared with third parties and what are the categories of these recipients
- Fulfilling data subject requests: The CDPA allows consumers the following rights: The right to access, delete, and correct their data and the right to appeal the decision on the exercise of their rights.
Furthermore, consumers can opt out of the use of their data for sale, profiling, and targeted advertising purposes. Lastly, consumers can also ask for their data to be transferred to a third-party entity.
For instance, when you receive a data deletion request, you need to delete personal data provided by or obtained about the relevant consumer.
To learn more about data subject access requests (DSARs) and how you can handle them, take a look at Didomi's Privacy Request module:
{{discover-our-privacy-request-module}}
What are the penalties for non-compliance with the Virginia Consumer Data Protection Act (VCDPA)?
Under the VCDPA, consumers do not have the power to bring a claim against businesses for non-compliance with the VCDPA requirements. Only the Virginia Attorney General can take action against non-compliance with VCDPA requirements.
If found guilty, an organization might face fines of up to 7,500$ per violation under the Law.
Furthermore, the Law includes a 30-day “Right to Cure” mechanism that allows businesses to rectify any non-compliance issue within 30 days of notification from the Attorney General.
Virginia's VCDPA vs California's CPRA and the EU's GDPR
When it comes to comparing the Virginia Consumer Data Protection Act with other key data privacy regulations, what are some of the differences you should know about?
VCDPA vs GDPR
Although there are many similarities between the EU General Data Protection Regulation (GDPR) and the VCDPA, there are a few key differences you should be aware of:
- Under the GDPR, businesses are required to identify and rely on a legal basis, such as consent or legitimate interests, to collect and process personal data. The VCDPA, on the contrary, does not contain such a requirement.
- Deidentified and public information is exempt from the VCDPA. Its European counterpart, however, still considers public information as falling under its scope; only truly anonymized data is outside the scope of the GDPR.
- Unlike the VCDPA, the GDPR does not give consumers the right to opt out of the sale of their personal data.
VCDPA vs CPRA
When it comes to the California Privacy Rights Act (CPRA), the key differences with Virginia’s data privacy legislation are as follows:
- Under the CPRA, consumers can opt out of the use of their sensitive data and there is no blanket prohibition on the collection and use of sensitive data.
The CDPA, on the other hand, prohibits the collection of sensitive data unless consumers give their consent. - Unlike the Virginia CDPA, California’s CPRA provides consumers with a private right of action.
Staying on top of the various data privacy laws out there and what differences they present can be challenging at times and even downright overwhelming. For an overview of the current data privacy laws in the U.S., head to our extensive article keeping track of changes in the North American data privacy landscape, and save our Privacy Legislation Tracker for a cheat sheet.
VCDPA and consent requirement
Under the VCDPA, there is no general requirement that you obtain the consent of consumers before collecting and processing data. However, it requires businesses to obtain consent when they collect and process data in the following ways:
- As we explained above, you need to obtain the consent of consumers when you decide to use collected personal data for secondary purposes incompatible with the original purpose.
- Before you can collect and process sensitive data, you need to obtain the consent of the consumers.
- You need to enable consumers to opt out of the use of their data for targeted advertising, sales, and profiling that produce legal or similarly significant effects.
Therefore, you need a robust mechanism to obtain, record, and maintain consent provided by consumers, and you need to allow consumers to exercise their right to opt-out.
How Didomi can help with VCDPA compliance
Knowing the Virginia Consumer Data Protection Act requirements is one thing, but confidently taking steps to ensure compliance is another.
Didomi aims to become the partner of choice for organizations around the world to lead with data privacy best practices and steer clear of potential fines. Through our expertise, guidance, and product offering, we are here to help.
Browse our website to learn more about our Consent Management Platform, Preference Management Platform, Privacy Request module, and Advanced Compliance Monitoring, or book a time with one of your experts to discuss your challenges directly:
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ)
What is the Virginia Consumer Data Protection Act (VCDPA)?
The VCDPA is a data privacy law enacted to give Virginia residents greater control over their personal data. It grants rights such as accessing, correcting, and deleting data, opting out of data sales, and requiring consent for processing sensitive data.
Who needs to comply with the VCDPA?
Businesses must comply if they:
- Conduct business in Virginia or offer services/products to Virginia residents.
- Process data of at least 100,000 consumers annually.
- Process data of 25,000 consumers and derive 50% or more of revenue from selling personal data.
What rights do Virginia consumers have under the VCDPA?
Consumers have the right to:
- Access, correct, and delete their personal data.
- Opt out of targeted advertising, profiling, and the sale of their data.
- Transfer their data to another entity (data portability).
What are the key obligations for businesses under the VCDPA?
Businesses must:
- Provide clear privacy notices.
- Limit data collection to what is strictly necessary.
- Obtain consent for collecting sensitive data.
- Implement strong data security measures.
- Conduct data protection assessments for certain processing activities.
Who is exempt from the VCDPA?
The following are exempt:
- Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA).
- Entities under HIPAA and HITECH Acts.
- Nonprofits and higher education institutions.
- Government bodies and agencies.
What are the penalties for non-compliance with the VCDPA?
The Virginia Attorney General enforces the VCDPA. Non-compliance can result in fines of up to $7,500 per violation. Businesses have a 30-day "Right to Cure" period to address compliance issues after notification.