What is the Virginia privacy law?
On March 2, 2021, Virginia’s privacy law came into effect. The Virginia Consumer Data Protection Act was only the second U.S. state law to pass, after California. While its requirements are similar to the California Consumer Privacy Act, which came into effect in 2018, similar does not mean the same.
Importantly, the VCDPA requires businesses to obtain opt-in consent to process sensitive information.
The law does borrow some language from the EU’s General Data Protection Regulation, moreso, than it does California law.
Why is the Virginia privacy law’s acronym so bad?
We don’t know. We feel you. It’s a rough series of letters. Does not roll off the tongue.
Confused about VCDPA?
To whom and where does this apply?
The VCDPA applies to any businesses operating in Virginia or producing products and services targeted at Virginia residents. One of two other conditions must also apply for a business to be considered “covered” by the law.
- You control or process personal data of at least 100,000 Virginia residents, or
- You derive more than 50% of your gross revenue from the sale of personal data AND control or process personal data of at least 25,000 Virginia residents.
That’s a pretty wide net. It’s basically applicable for any Virginia companies seeking global customers for their products.
To be clear, the VCDPA will apply to for-profit and business-to-business companies that interact with Virginia residents, or process personal data of Virginia residents on a relatively larger scale. But just like the CCPA does not define “doing business” in California, the VCDPA does not define “conduct[ing] business in Virginia.” So that part is a bit ambiguous. However, businesses likely can assume that any economic activity that similarly triggers tax liability or personal jurisdiction in Virginia will trigger VCDPA applicability.
It’s also important to note that Virginia’s privacy law does not apply to HR/employee data nor Salesforce/CRM data, whereas California’s latest privacy law, the California Privacy Rights Act (which supplants the CCPA) applies to all data types.
By when do I need to be compliant?
The VCDPA comes into effect on January 1, 2023. Businesses must learn the law and assess their data types, data uses, and data processing activities to ensure their current practices can support the law.
What are the pain points?
Virginia’s privacy law has some key differences from the CPRA, CCPA, and GDPR, which will require operational changes within your organization.
Required consent for sensitive data: This is one of the most important provisions to pay attention to.
It’s essential that you take stock of any data that might be considered “sensitive” under the VCDPA, as well as why you collected it. That’s because consumers have the right to opt-in rather than the requirement to opt-out of sensitive data collection.
Sensitive data under Virginia’s law includes personal data revealing:
- Race or ethnic origin.
- Religious beliefs.
- Mental or physical health diagnosis.
- Sexual orientation.
- Citizenship status.
- Biometric or genetic data.
- Geolocation data.
- Data collected from a child under 13.
If you don’t have a legally valid reason for having collected such sensitive data before or as of January 1, 2023, when the VCDPA comes into effect, you should get in touch with your customers and obtain opt-in consent.
Data protection assessments: It’s essential you look at your past launches to see whether a data protection impact assessment or a privacy impact assessment is required for any of the following processing activities:
- Targeted advertising.
- Sale of personal data.
- Profiling in a way that could injure consumers.
- Processing of sensitive data.
- Any processing activities involving personal data that present a heightened risk. of harm to consumers.
Consumer right to appeal: Data controllers have to have a way for consumers to appeal if you refuse to take action on one of their requests within 60 days of receiving it.
Privacy policy update for opt out right: Data controllers have to clearly disclose if you’re selling personal data to third parties or using the data for targeted advertising. You also have to tell a consumer how they can opt-out of both.
Who will enforce the VDCPA?
The Virginia Attorney General will enforce the VDCPA. Importantly, the law includes a 30-day cure period, which means it’s possible that the attorney general may cite a problem but agree to give an organization time to fix it. If the organization doesn’t fix it within 30 days, the attorney general could serve fines of up to $7,500 per violation.
Who is exempt from the VCDPA?
There are conditions in which an organization doing business in Virginia is not captured by Virginia’s privacy law. Those include:
- Virginia government authority, board, district or agency.
- Financial institutions covered by the Gramm-Leach-Bliley Act.
- Covered entity or businesses subject to the Health Insurance Portability and Accountability Act.
- Nonprofits.
- Colleges and universities.
About TerraTrue
TerraTrue empowers teams to build privacy and security into everything they do through a collaborative, intuitive, and scalable platform. Purpose-built to work with modern product development, TerraTrue seamlessly captures structured data about how teams plan to collect, use, store, and share data. The platform then maps that digital blueprint to the world’s privacy laws to automate guidance, risk-flagging, and downstream data maps and reports. Sitting as a hub between product teams and review teams, TerraTrue also smartly routes rule-based workflows throughout an organization, automatically detects and reports infrastructure changes in cloud environments, and drives vendor management — all from the same single source of truth. With TerraTrue’s digital privacy platform, companies run a scalable, fast privacy-by-design program that eliminates spreadsheets, manual ad-hoc processes, and compliance bottlenecks. Modern brands like Lyft, Robinhood, Roku, and Foursquare use TerraTrue to get privacy right by shifting left. Learn more at terratrue.com.
