Virginia recently enacted a new comprehensive data privacy law, the Virginia Consumer Data Protection Act (VCDPA), which goes into effect on January 1, 2023.
The VCDPA applies to all persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that: (i) control or process personal data of at least 100,000 consumers during a calendar year; or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. “Personal data” means” any information that is linked or reasonably linkable to an identified or identifiable natural person” and it does not include de-identified data or publicly available information.
The VCDPA does not apply to, among others, the following:
- Financial institutions or data subject to GLBA;
- Nonprofit organizations;
- Certain activities and data regulated under FCRA; or
- Data collected in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor or third party, to the extent that such data is collected and used in the context of that role.
Note the term “controller” is generally defined as a person that determines the purpose and means of processing personal data. Additionally, “processor” means a natural or legal entity that processes personal data on behalf of a controller. Moreover, “process” or “processing” means any operation performed on personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
Consumer Rights and Requests
The VCDPA gives consumers certain rights with respect to their personal data. Specifically, under the new law, among other things, a Virginia consumer may submit a request to a controller to: (i) confirm whether a controller is processing the consumer’s personal data and access such personal data; (ii) correct inaccuracies in the consumer’s personal data; (iii) delete the consumer’s personal data; (iv) obtain a copy of the personal data previously provided by the consumer; and (v) opt out of the processing of the consumer’s personal data for certain purposes (e.g., targeted advertising or the sale of personal data).
Controllers must generally respond to a request from a consumer within 45 days of receipt of the request, but may extend the response period for an additional 45 days when reasonably necessary so long as the consumer is notified within the initial 45-day response period. Note that if a controller is unable to authenticate the consumer’s request using commercially reasonable efforts, the controller is not required to comply with the consumer’s request and may ask the consumer to provide additional information to authenticate the consumer and the consumer’s request. Further, a controller must establish a process for a consumer to appeal the controller’s refusal to take action on a request. Note that within 60 days of receipt of an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal. If the appeal is denied, the controller must also provide the consumer with an online mechanism or other method through which the consumer may contact the Virginia Attorney General (AG) to submit a complaint.
Notice Requirements and Other Obligations
The VCDPA requires controllers to, in part, provide a privacy notice and describe one or more secure and reliable manners for consumers to submit requests pursuant to their rights under the VCDPA. Moreover, the VCDPA imposes certain additional obligations on controllers related to: (i) the purposes for which personal data is collected and processed; (ii) security practices to protect personal data; (iii) compliance with state and federal anti-discrimination laws; and (iv) affirmative consent requirements to process sensitive data (as defined by the VCDPA). Controllers must also conduct and document certain data protection assessments.
In general, a processor must adhere to the instructions of a controller and assist the controller in meeting its obligations under the VCDPA. According to the VCDPA, determining whether a person is acting as a controller or processor is a fact-based determination that depends upon the context in which personal data is to be processed.
Penalties and Enforcement
The VCDPA does not create a private right of action for consumers. However, the AG can seek injunctive relief and impose civil penalties of up to $7,500 per violation. All civil penalties, expenses, and attorney fees collected pursuant to the VCDPA will be credited to the Consumer Privacy Fund to support the work of the AG to enforce the VCDPA.