Virginia’s New Consumer Data Protection Act
Virginia’s New Consumer Data Protection Act

Last week, the Virginia House of Delegates overwhelmingly passed HB2307, the Virginia Consumer Data Protection Act (“VCDPA”), which has been sent to the Senate Committee on General Laws and Technology for review and comparison with a recently passed State Senate bill; now the race is on to reconcile the House and Senate bills prior to adjournment of the Virginia General Assembly on February 11. If a final bill is agreed upon (and it looks on track to pass prior to the end of Q1 2021), Virginia appears to be on track to adopt one of the most stringent data privacy regulations in the US to date. Below, we provide a brief overview of VCDPA and will continue to update as we learn more.

Who does the VCDPA affect?

As currently drafted, the VCDPA would apply to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that:

1) During a calendar year, control or process personal data of at least 100,000 consumers or;

2) Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”

These bright-line thresholds notably omit a revenue component, which is a departure from the California Consumer Privacy Act (“CCPA”) and means that companies of any size are in scope, provided they are processing enough consumer data. Given that “personal data” includes a consumer’s IP address, if your website gets more than 275 unique visitors per day then you’re collecting over 100,000 pieces of personal information and your business is likely to be in scope for VCDPA.

When is the VCDPA’s effective date?

If passed, the VCDPA would become effective January 1, 2023.

What rights are provided by VCDPA?

The VCDPA would provide Virginia residents with the rights to data:

  1. Access;
  2. Correction;
  3. Deletion;
  4. Disclosure;
  5. Portability; and
  6. Opt-out of processing.

If a consumer makes a request to exercise their rights, companies have 45 days to respond. Also, and this is very important, VCDPA allows a consumer to opt-out of targeted advertising and forms of profiling, meaning that companies will need to take a deep dive regarding how they handle and manage cookies and tracking scripts on their website.

What responsibilities do data controllers have?

VCDPA uses the term “controller” to describe the entity that determines the purpose and means of processing data, and under VCDPA controllers must:

  • Provide to consumers a clear and conspicuous privacy policy that describes how they collect, use and share personal data, as well as whether they sell personal data or provide such data for targeted advertising purposes;
  • Obtain consent prior to collecting and processing sensitive personal data (g., data revealing certain protected characteristics, genetic or biometric data, data collected from children or precise geolocation data);
  • Comply with data processing principles that ensure purpose limitation of personal data and data minimization;
  • Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
  • Enter into a written contract with third-party “processors” that process data on the controller’s behalf that set forth the instructions and limitations on how the processor may process personal data, including the data that are subject to processing, the duration of processing and the rights and obligations of both parties;
  • Conduct and document a data protection assessment when processing sensitive data or conducting activities related to targeted advertising, selling personal data, profiling and other activities that present a heightened risk of harm to consumers; and
  • Inform consumers of the various privacy rights afforded to them under the VCDPA and honor those rights.

Do I need to enter into Data Processing Agreements?

The VCDPA requires controllers to enter into data processing agreements with data processors that: (1) set forth instructions for processing personal data, including the nature and purpose of processing; (2) identify the type of data subject to processing, the duration of processing, and the rights and obligations of both parties; and (3) ensures that each person processing personal data is subject to a duty of confidentiality with respect to the data. The agreements also would need to make data processors delete or return personal data at the conclusion of the service, cooperate with assessments, and contractually pass down these obligations to subcontractors.

Who will enforce the VCDPA?

The Virginia Attorney General’s office would enforce the law exclusively. The office would need to provide 30 days’ notice of any violation and allow the controller or processor to cure it. If the violation remains uncured, the office could file an action seeking $7,500 per violation. Notably, in its current form the VCDPA does not give consumers a private right of action, which means that the Attorney General would have sole jurisdiction to enforce.

Are there exemptions from the VCDPA?

Yes. Similar to CCPA, the VCDPA contains a number of exemptions, including exemptions for HIPAA covered organizations, nonprofits, universities, and organizations subject to the Gramm-Leach-Bliley Act (“GLBA”). The VCDPA also exempts certain data sets such as HIPAA personal health information, personal data regulated by FERPA, employment-related data, and certain types of data regulated by the FCRA. In total, the VCDPA lists 14 types of data sets that are exempt from its provisions.

Key Takeaway

Though not yet cemented into law, the VCDPA is yet another example of the ever-evolving data privacy landscape. Given that there are a number of regulatory differences on a state-by-state level in the US, as these laws continue to be implemented, companies will have to adopt a flexible approach in order to not run afoul of their compliance obligations.

How Can Clym Help?

Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues.  Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.