Virginia joins California in enacting a comprehensive data privacy law with the Virginia Data Protection Act, becoming the second state to have legislation giving consumers the right to access data organizations have collected about them.
Like the California Consumer Privacy Act, Virginia’s law will give consumers the right to confirm with companies whether their personal information is being collected and used; access their data in a “portable...readily usable format”; make corrections to any inaccuracies; and request the data to be deleted. Consumers can also opt out of collection and use of data “for purposes of targeted advertising, the sale of personal data, or profiling.” The Virginia Consumer Data Protection Act defines “personal data” to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excludes de-identified and publicly available information.
Prior to the Virginia Consumer Data Protection Act, Virginia had a data breach notification law and statutes on the books protecting specific types of data in certain contexts, but no comprehensive data privacy law. While based on the Washington Privacy Act proposed earlier this year in the Washington Senate, VCDPA has a number of modifications making it more business-friendly.
The “sale of personal data” is defined only as “the exchange of personal data for monetary consideration by the controller to a third party,” making its definition narrower than what CCPA considers a sale. The Virginia law excludes the disclosure of personal data to a third-party entity that processes the data on behalf of the organization collecting the information, sharing with an affiliate partner, or exchanging data as part of a merger, acquisition, or some other transaction. The organization collecting the personal data can also share the information the consumer intentionally made public—or did not restrict the information to a specific audience.
The Act also exempts 14 types of data sets, including HIPAA personal health information, personal data regulated by FERPA, employment-related data, and certain types of data regulated by the FCRA.
The VCDPA explicitly defines targeted advertising as advertising based on the personal data the organization has collected from multiple sources and other websites. Targeted advertising does not include ads solely based on information obtained from the customer's visit to the organization's website.
Data Processing Rules
While the law clearly defines the consumer’s rights, it also carves out a broad list of entities that are exempt. The Act applies only to organizations that control or process personal data of at least 25,000 customers and derive over 50 percent of gross revenue from the sale of personal data, or handle personal data for at least 100,000 consumers during a calendar year. HIPAA-covered entities and business associates, nonprofits, higher education institutions, and financial institutions subject to the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) are also exempt from the law.
The fact that there is a consumer threshold and no revenue threshold means the law will apply to a smaller segment of businesses.
With the law, organizations must limit their data collection to data that is relevant and reasonably necessary to provide the service to the consumer, and to not process data for other purposes without explict consent. The law also requires organizations to implement reasonable security practices to protect the data and not discriminate against a consumer for opting out of data collection or otherwise exercising their rights over their data (such as denying service). Organizations are required to provide consumers with privacy notices that disclose the categories of personal data collected, the reason why the data is being collected, and how consumers can submit their requests to access/correct/delete the data.
The law protects personal data such as those revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. Biometric and genetic data which can be used to identify a person and precise geolocation information are protected, as is data collected from a child.
Similar to GDPR
The VCDPA is similar to the European Union's General Data Protection Regulation in that it distinguishes between "controllers," the entities using the consumer data and deciding how the data will be used, and "processors," the entities who handle the data on the behalf of the original organization. The law outlines specific requirements governing that relationship.
One of the challenges of having multiple data protection regimes is that enterprises have to make sure they are aware of all the differences and make sure they are complying with each one of them. Just addressing the common elements will inevitably leave open some gaps.
For example, the VCDPA has different threshold requirements than the legislation currently winding through the state legislatures in Washington and New York. New York and Virginia both have different rules governing data brokers, but Washington's current version of the legislation does not. New York requires consent for processing any kind of consumer data, while Washington requires it for sensitive data. VCDPA requires explicit consent only if the consumer has indicated they want to restrict how their data is being used.
Virginia’s legislation does not contain a private right of action for consumers, although there is language allowing for a private cause of action, with a cap on damages. The state attorney general has the exclusive authority to enforce violations, such as seeking damages for up to $7,500 for each violation.
After the Virginia House of Delegates voted 89-9 to pass Virginia Consumer Data Protection Act (HB2307) on Jan. 29, the focus was on the state Senate to act on SB1392. Now that the Senate has unanimously passed the bill, the state legislators have until Feb. 11 to reconcile the bills and finalize the law. The consensus is that this is a procedural matter because the two versions are essentially identical, so the final legislation is expected to take effect Jan. 1, 2023.