What Is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act (VCDPA) was signed on March 2, 2021, making Virginia the second state after California to officially instrument comprehensive consumer privacy legislation. The VCDPA will go into effect on January 1, 2023.

Just to remember: California Consumer Privacy Act (CCPA), the first data privacy law in the US, was passed by the California State Legislature in June of 2018, and took effect on January 1, 2020.

Virginia Consumer Data Protection Act (VCDPA)

Like Europe’s GDPR and California’s CCPA, the VCDPA give Virginia residents the ability to access and control personal data that the business collects about them. VCDPA applies to Virginia residents or website users, which are called Consumers.

Consumers' Rights under the VCDPA

Virginia consumers have six main rights under the VCDPA:

1. Right to access. Consumers have the right "to confirm whether or not a controller is processing the consumer's personal data and to access such personal data."
2. Right to correct. Consumers have the right to correct inaccuracies in their personal data, regarding the nature and the purposes of the personal data.
3. Right to delete. Consumers have the right to delete the personal data provided by them or obtained about them.
4. Right to data portability. Consumers have the right to obtain a copy of the consumer's personal data in a usable format and to the extent technically feasible.
5. Right to opt-out. Consumers have the right to choose between explicit or implied consent modes for the processing of their personal data for purposes of targeted advertising, the sale of personal data, and profiling in decisions that produce legal or other significant effects concerning the consumer.
6. Right to appeal. Consumers have the right to appeal a business's denial to act within a reasonable time. Under the law, an entity controlling personal data must respond to a consumer request within 45 days of receipt of the request. Where reasonably necessary, the entity may extend the response deadline by an additional 45 days as long as it notifies the consumer within the initial response window. If the entity fails to do this on time, the VCDPA mandates that a "controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable time after the consumer's receipt of the decision." If the appeal is denied, the controller needs to inform the consumer how they can submit a complaint to the state attorney general.

“Profiling” of the data is defined as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements”, that could lead the companies choosing between providing or denying “financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.” However, the law allows some cases of “profiling” of the data, even if users opted out of the profiling. Even without consent, targeted advertising could still be used based on “the context of a consumer’s current search query, visit a website, or online application” or on responding to a consumer request. Similarly, if the data is gathered from internal data, collected by a company and its affiliates, profiling could still be performed. In addition, companies can use personal data from opted-out consumers for internal purposes, such as evaluating the effectiveness and reach of their marketing. However, the applicability of such evaluation is limited.

“Sale” of personal data is quite narrowly defined. Users can only prevent a sale of their personal data if the sale includes an “exchange of personal data for monetary consideration” between the company collecting the data and a third party. Companies can still transfer collected personal data to an affiliated or controlled company; can share personal data with third parties, which process the data on their behalf; and can disclose personal data if a user requests a product or service.

Not sure if your website uses cookies and do you need a privacy or Cookie Policy under the VCDPA? Scan your website for free to find out what cookies does your website uses.

Consumers' Limitations under the VCDPA

Even if consumers have some rights under the VCDPA, there are some limitations to these rights:

1. VCDPA only applies to the personal data of Virginia residents in an individual or household context. Virginia residents are protected as consumers. A consumer is defined as "a natural person who is a resident of the Commonwealth acting only in an individual or household context." The law explicitly omits users where they are "acting in a commercial or employment context," so, VCDPA does not apply to Virginia employees or people in commercial contexts.

2. Not all data counts as personal data. First, as in California, lawfully made available government records are not considered personal data. Second, the lawfully made available information to the general public through widely distributed media “by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience” is not considered personal data. For example, if consumers post their data publicly on social media, this information is not considered their personal data. Third, the law also does not apply to pseudonymous or anonymous data kept by businesses, as long as they show that any identifying information is kept separate and protected.

In addition, unlike the CCPA, the VCDPA allows businesses to offer different prices and levels of service to consumers enrolled in loyalty programs without having to comply with the law.

What Organizations Are Subject to the VCDPA?

Any entity, company, or organization needs to know whether the law applies to them. Under the VCDPA, obligations are imposed on entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either:

1. Control or process the personal data of at least 100 000 users during a calendar year.
2. Control or process the personal data of at least 25 000 users and get at least 50% of its gross revenue from the sale of personal data.

This means even large entities will not be subject to the law so long as they do not fall within one of the two categories listed above. VCDPA also does not include an individual acting in a commercial or employment context.

Obligations for entities under the VCDPA

An entity can be covered by the VCDPA either as a “controller” of personal data, to whom the personal data belongs; or a “processor” that manages the personal data like “collection, use, storage, disclosure, analysis, deletion, or modification” on behalf of a controller. Controllers are responsible for receiving, authenticating, and complying with reasonable consumer personal data requests and setting up an appeals process for requests they deny if any.

The VCDPA defines requirements for controllers:

1. Limits on data collection. Like the CCPA and the GDPR, the VCDPA includes a provision limiting the collection of personal data to that which is "adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed."
2. Limits on use. Once the data has been collected, the law requires an entity "not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent." The law also imposes limits on processing sensitive personal data such that doing so is prohibited without the consumer's consent.
3. Technical safeguards. The VCDPA, like the CCPA and the GDPR, mandates an entity "establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data."
4. Data protection assessments. The VCDPA also requires controllers to conduct data protection assessments that evaluate the risks associated with processing activities. These confidential assessments allow entities to justify the benefits of their use of personal data and the risks to consumer rights and how controllers reduce those risks. However, it is not indicated how often they must occur and how long they must be kept.
5. Data processing agreements. The VCDPA defines requirements between the data controller and the data processor relationship. Controllers and processors must sign a data processing agreement. Such agreements must "clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties." The data processor must correspond to the instructions of the controller.
6. Privacy Policy. The VCDPA contains a provision requiring controllers to provide consumers with a Privacy Policy.

“Sensitive personal data” is defined as data, which includes, among other categories, race, religion, sexual orientation, biometric data, mental or physical health diagnosis, child personal data, and precise geolocation

The Privacy Policy of a controller must include: the categories of personal data, processed by the controller; the purpose for processing personal data; how consumers could take advantage of their consumer rights and appeal a controller's decision regarding the consumer's request; the personal data that the controller shares with third parties if any; the list of all third parties, if any, with whom the controller shares personal data; the VCDPA has no requirements regarding the time or any particular format the Privacy Policy must follow.

VCDPA compliance is the main responsibility of the controller, with assistance from the processor. Processor businesses comply mainly through their contracts with controllers, which must have a data processing agreement and include instructions and details on processing personal data.

Exceptions for Entities under the VCDPA

As with the CCPA, there are broad exemptions. The following institutions are exempted from the VCDPA:

1. Financial institutions, subject to the Gramm-Leach-Bliley Act (GLBA).
2. Entities and business, governed by Health Insurance Portability and Accountability Act (HIPAA); by the HITECH Act, which encourage healthcare providers to adopt electronic health records and improved privacy and security protections for healthcare data; by entities, which personal data management is regulated by the Family Educational Rights and Privacy Act (FERPA) or by other entities in the healthcare sector.
3. A body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision.
4. Non-profit organizations.
5. Higher education institutions.

geo-targeting

Since privacy laws of different US states are very different, the websites should use different cookie banners for different locations. Businesses can set up different cookie banners with different settings. They will not conflict with each other and the proper script will be taken for each location.

Different privacy laws could be complied with using a function of geo-targeting, the practice of delivering different Cookie Banner and different privacy notice to consumers based on their geographic locations. Website visitors will see only that banner, which is needed for that particulal US state.

CookieScript Consent Management Platform offers geo-targeting, which allows to comply with the privacy laws of different US states based on different locations.

Enforcement of the VCDPA

Unlike the CCPA, there is no right of action against the infringement for consumers- private users. Instead, the Virginia Attorney General has an exclusive authority to enforce violations.

Once the state attorney general decides to take action, the office must notify the controller.

A benefit for a business or an organization is the law’s 30-day cure period, which allows entities that receive letters regarding noncompliance to communicate with the state attorney general’s office and correct any potential violations before fines are imposed. The controller then can provide the attorney general with an "express written statement that the alleged violations have been cured and that no further violations shall occur."

If the controller fails to cure the violation, the attorney general can fine entities up to $7 500 per violation.

Differences Between California’s CCPA and Virginia’s CDPA

Even the scope and purposes of the CCPA and the VCDPA share similarities and were developed to protect consumers' private data, there are several differences between them:

• opt-out right of VCDPA is broader. Unlike California’s CCPA, the VCDPA’s opt-out right is much broader, and includes not only prohibiting to sale personal data but also includes opting out of targeted advertisement, profiling, and more.
• VCDPA protects Virginia residents' privacy stricter. Unlike California’s CCPA, the VCDPA requires businesses to delete personal data upon user request that also includes data concerning a Virginia resident, not only collected directly from him.
• VCDPA does not have a private right of action. Unlike California’s CCPA, the VCDPA does not have a private right of action, meaning that Virginia residents themselves cannot sue companies for VCDPA violations.
• VCDPA has more exemptions. Unlike California’s CCPA, the VCDPA includes more exemptions to compliance for small businesses, financial institutions, health and insurance sectors.
• Businesses in Virginia must satisfy a threshold to fall within the scope of the law. Under California’s CCPA, small entities were left to question whether the processing of data subjected them, while the VCDPA clearly defines the threshold for small entities, based on annual gross revenue.
• VCDPA has no significant record-keeping requirements, aside from documenting data protection assessments. If a company already has in place a GDPR or CCPA-compliant policy regarding data subject or consumer access requests, it should be sufficient to handle requests from Virginia residents.
• Different treatment of consumers enrolled in loyalty programs. Unlike California’s CCPA, the VCDPA explicitly allows businesses to offer different prices and levels of service to consumers enrolled in loyalty programs without having to comply with the law.

Differences between Virginia's VCDPA and California's CCPA.

Not sure if your website complies with the data privacy laws of Virginia and other US states? Use CookieScript Consent Management Platform, which allows geo-targeting, which allows the website to detect the consumer's geographical location and to apply the adequate privacy law. We regularly update the latest privacy regulations, so you do not miss new privacy laws coming into force.

Future of the US States' privacy laws

US state privacy legislation tracker shows that as of 2022, four US states have signed data privacy laws, which are already active or go into effect in 2023. Besides California’s CCPA and Virginia's CDPA, there is Colorado Privacy Act, which will go into effect on July 1, 2023, and Utah Consumer Privacy Act, which will go into effect on December 31, 2023. Other states' data privacy laws are in different legislative processes and are supposed to take effect in a near future.

Experts say that the remaining US states will take one of the first two data privacy laws, either the CCPA or the VCDPA, as a basis for their privacy laws. Virginia’s CDPA is undoubtedly a better fit for business. VCDPA, being just eight pages long, contrasts sharply with the extensive, highly detailed obligations presented at the CCPA and with additional requirements. The VCDPA introduces a plain approach to comprehensive (i.e., non-sectoral) privacy legislation.

VCDPA is supposed to be the data privacy act, which will be copied to some extent by other states. Businesses, that adapted their Privacy Policy to comply with the VCDPA, should handle other US states' privacy laws easier.

In conclusion, different US data privacy laws across America mean different compliance requirements for your website, company, or organization. Thus, your website needs to have a geo-targeting function, which allows the website to detect the user's geographical location and apply adequate privacy laws. geo-targeting allows using of different banners for different locations. CookieScript also has a possibility to choose a combination of countries or the US states at your Cookie Banner to comply with the latest privacy regulations.

Frequently Asked Questions

When Will the Virginia Consumer Data Protection Act (VCDPA) take effect?

The VCDPA was signed on March 2021 and will take effect on January 2023. Use CookieScript Consent Management Platform to prepare and be compliant with the VCDPA.

Does Virginia Have a Consumer Data Protection law?

The Virginia Consumer Data Protection Act (VCDPA) was signed on March 2, 2021, making Virginia the second state after California to officially instrument comprehensive consumer privacy legislation. The VCDPA will go into effect on January 1, 2023. Use CookieScript Consent Management Platform, which allows you to comply with the VCDPA and automatically updates your Cookie Banner according to the latest changes in the privacy laws.

What Are the Fines For Not Complying With the VCDPA?

The Virginia Attorney General has an exclusive authority to enforce violations. A business or an organization has the law’s 30-day cure period, which allows entities that receive letters regarding noncompliance to communicate with the state attorney general’s office and correct any potential violations before fines are imposed. The business then can provide the attorney general with an "express written statement that the alleged violations have been cured and that no further violations shall occur." If the controller fails to cure the violation, the state attorney general can fine entities up to $7 500 per violation. CookieScript Consent Management Platform allows you to prepare for the VCDPA. We also automatically update your Cookie Banner according to the latest privacy laws.

What Organizations Are Subject to the Virginia Consumer Data Protection Act?

Under the VCDPA, obligations are imposed on entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either: control or process the personal data of at least 100 000 users during a calendar year; or control or process the personal data of at least 25 000 users and get at least 50% of its gross revenue from the sale of personal data. All other organizations, which do not satisfy these conditions, are not subject to the VCDPA. This means that even large entities will not be subject to the law so long as they do not fall within one of the two categories listed above. VCDPA also does not include an individual acting in a commercial or employment context. Use CookieScript Consent Management Platform to comply with the VCDPA.

Who Has the Right of Action For the Infringement of the VCDPA?

Unlike the CCPA, there is no right of action against the infringement for private users. Instead, the Virginia Attorney General has an exclusive authority to enforce violations. A business or an organization has the law’s 30-day cure period, which allows entities that receive letters regarding noncompliance to communicate with the state attorney general’s office and correct any potential violations before fines are imposed. If the business fails to cure the violation, the attorney general can fine entities up to $7 500 per violation. Check the CookieScript Consent Management Platform to be VCDPA and other privacy laws compliant.

What Do you Mean by “Consumer”, “Controller”, and “Processor” at the VCDPA?

Virginia residents, who use business services through websites or other means, are called “consumers” under the Virginia Consumer Data Protection Act (VCDPA). A business can be covered by the VCDPA either as a “controller” of personal data, to whom the consumers' personal data belongs; or a “processor” that manages the personal data like “collection, use, storage, disclosure, analysis, deletion, or modification” on behalf of a controller. Controllers and processors must sign a data processing agreement. Controllers are responsible for receiving, authenticating, and complying with the VCDPA and reasonable consumer personal data requests and setting up an appeals process for requests they deny if any. Processors comply mainly through their contracts with controllers, which must have a data processing agreement and include instructions and details on processing personal data. Find out more about the latest privacy laws at CookieScript.

What Are the User's Rights Under the VCDPA?

Virginia consumers have six main rights regarding personal data under the VCDPA: right to access the data, right to correct the data, right to delete the data, right to data portability, right to opt-out, and right to appeal. Find out more about the latest privacy laws at CookieScript.

What Are the Differences Between California’s CCPA and Virginia’s CDPA?

Even the scope and purposes of the CCPA and the VCDPA were developed to protect user's private data, there are several differences between them: 1. The opt-out right of VCDPA is broader. 2. VCDPA protects Virginia residents' privacy stricter. 3. VCDPA does not have a private right of action. 4. VCDPA has more exemptions. 5. Businesses in Virginia must satisfy a threshold to fall within the scope of the law, based on annual gross revenue. 6. VCDPA has no significant record-keeping requirements, aside from documenting data protection assessments. 7. Different treatment of consumers enrolled in loyalty programs, and some other differences. CookieScript Consent Management Platform uses geo-targeting, which allows to comply with the privacy laws of different US states based on different locations.

How to Enable Website Users' cookie compliance Targeting for Privacy Laws?

Since regulations of privacy laws in different US states are very different, different Cookie Banners should be added for different locations. This function could be enabled through geo-targeting, which allows the website to detect the user's geographical location and to apply different Cookie Banners for different locations. With CookieScript geo-targeting you could separate website visitors coming from let's say California, Virginia, or other locations, and apply an adequate Cookie Banner, together with the latest privacy regulations.