On Tuesday, March 2, 2021, Virginia Gov. Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. Virginia now joins California as the two states with comprehensive data privacy laws on record.
Notably, the VCDPA does not become effective until January 1, 2023 – the same effective date as the California Privacy Rights Act, also known as “CCPA 2.0.” The VCDPA shares some aspects of California’s law, but also borrows concepts from the European Union’s General Data Protection Regulation (GDPR).
Unlike California’s Consumer Privacy Act, the VCDPA follows the GDPR in establishing the concept of data “controllers” with heightened obligations for processing and securing data, as opposed to data “processors” with fewer obligations. Notably, borrowing from GDPR’s focus on consumer consent, VCDPA requires businesses to obtain consumers’ clear, affirmative consent to process certain types of data that it deems sensitive, including race, ethnicity, religious beliefs, health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data sufficient to identify a person, and precise geolocation data. The VCDPA will also require data controllers to complete data protection assessments for activities that are considered high-risk to the consumer and also for data processed in connection with targeted advertising or data sales. Moreover, the VCDPA will require businesses to permit consumers to opt out of the sale of their data – like the CPRA – but it will also permit consumers to opt out of having their data used in furtherance of targeted advertising or for profiling purposes.
Importantly, the VCDPA does not create a private right of action for consumers; only the Virginia Attorney General can enforce the law by seeking injunctive relief and imposing civil penalties of up to $7,500 per violation. Nor does it regulate the data of individuals acting in a commercial capacity within the definition of “consumer,” carving out B2B activity from its reach. Further, entities subject to certain sector-specific privacy laws like HIPAA and Gramm-Leach-Bliley Act are exempt from VCDPA.
Still, as the second law of its type in the United States, the VCDPA has significant implications for businesses that provide products or services to Virginians, or collect or otherwise process data associated with a substantial number of Virginia residents. With a number of similar bills proceeding through state legislatures around the country – including Florida, New York, and Washington – it is clear that the principles underpinning the CCPA and VCDPA will become more widespread in the near term. Early stage planning is critical to both identify the necessary steps to achieve compliance and to do so in an effective, efficient manner within the shifting regulatory landscape in this field.