Insight

Virginia Becomes the Second State—and the First on the Eastern Seaboard—to Adopt a Comprehensive Data Protection Law

Virginia Becomes the Second State—and the First on the Eastern Seaboard—to Adopt a Comprehensive Data Protection Law

S. Wilson Quick

S. Wilson Quick

April 16, 2021 11:35 AM

In March of 2021, Virginia became the second state to adopt a comprehensive data protection law. The Virginia Consumer Data Protection Act (VCDPA), which goes into effect on Jan. 1, 2023, borrows many concepts from the California Consumer Privacy Act (CCPA), which went into effect in 2020, but has enough subtle difference that companies doing business in both California and Virginia will need to evaluate whether they have different or unique compliance obligations under each state’s law.

For many East Coast businesses who did not have to focus on California law, the VCDPA is likely to bring new and daunting privacy compliance concepts that will take substantial effort to meet over the next two years. This alert highlights some of the key aspects of the VCDPA that any company doing business in Virginia should be aware of moving forward.

Who has to comply with the VCDPA?

The VCDPA applies to any company that does business in Virginia or that “produce[s] products or services that are targeted to” Virginia residents where that company, either:

  1. controls or processes “personal data” of at least 100,000 Virginia residents; or
  2. controls or processes “personal data” of at least 25,000 Virginia residents and derives more than 50% of its gross revenue from the sale of personal data.

While these are similar concepts to the CCPA, the VCDPA does not have a standalone revenue threshold that would subject companies with large amounts of revenue and only a handful of Virginia customers to its requirements.

In similar fashion to the CCPA, the VCDPA exempts certain types of entities from needing to comply, as follows: (i) Virginia state government entities; (ii) financial institutions with data subject to the Gramm-Leach-Bliley Act (GLBA); (iii) covered entities or business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act; (iv) non-profits; and (v) institutions of higher education.

What is “Personal Data” under the VCDPA?

The definition of “personal data” is broad and includes any information that is “linked or reasonably linkable to an identified or identifiable natural person.”

There are, however, a number of important exemptions from the definition. The first includes certain types of data that are otherwise addressed by federal or other Virginia state laws. Examples include data subject to GLBA, HIPAA, and other similar industry focused data protection laws.

A second, and very significant exemption for many business, is employment data, which includes application data, information necessary to administer benefits programs, and emergency contact information kept by business entities. Employment data is not currently excluded under the CCPA, which has been a point of consternation for many businesses.

A third exemption exists for de-identified or pseudonymous data.

Finally, publicly available information is not “personal data” under VCDPA.

How does the VCDPA protect consumer personal data?

One of the main goals behind the VCDPA, like the CCPA, was to provide a set of previously unobserved privacy rights, including the right to access, correct and delete personal data, to Virginia residents. Consumers also have a right to request their data from a business in a format that can be transferred to another business of the consumer’s choosing—often known as the right to data portability.

When it comes to how a business uses a consumer’s data, the VCDPA provides users the right to opt out of data processing for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling to make decisions that would produce legal or similarly significant effects to a consumer.

In another departure from the CCPA, the VCDPA defines “sale” to specifically reference an exchange of personal data “for monetary consideration.” This is much clearer than the broad CCPA definition that could potentially include any transfer of personal data where the transferor receives value. The definition of a sale also explicitly excludes a transfer to affiliates of the controlling business.

The right to opt out of profiling is a new concept in American privacy law that borrows heavily from concepts expressed in Europe’s General Data Protection Regulation (GDPR). The VCDPA defines “profiling” as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” Businesses using predictive screening processes, and similar automated processes, will have to consider how they will provide this right to consumers.

The VCDPA provides special rights and protections to “sensitive” personal data, which is defined to include (i) “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status”; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (iii) the personal data collected from a known child; and (iv) precise geolocation data. Most significantly, businesses must obtain affirmative consent before processing a consumer’s sensitive personal data.

What must businesses do to comply with the VCDPA?

In short, quite a lot, if the law applies and the business has not already made changes to comply with the CCPA or GDPR. As a start, businesses must ensure their privacy notices (or policies) include statements addressing, at a minimum:

  • the purpose(s) for which the business processes personal data;
  • how a consumers may exercise the individual rights provided by the VCDPA, including how a consumer may appeal a business’ decision with regard to the consumer’s request;
  • the categories of personal data that the business shares with third parties, if any;
  • the categories of third parties, if any, with whom the business shares personal data;
  • a clear disclosure and information on how to opt out if the business sells personal data to third parties or processes personal data for targeted advertising

From an operational standpoint, businesses must limit their data collection to what is practical and reasonable under the circumstances and “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data” that is collected.

Businesses that process any form of sensitive personal data or that engage in data processing for certain purposes, such as targeted advertising, the sale of personal data, or profiling, must conduct a “data protection assessment” to evaluate the risks associated with their processing activities. These assessments must weigh the overall benefits of the processing activity against the potential risks to the rights of the consumer, as mitigated by applicable safeguards.

Finally, businesses that engage third parties to process data must ensure that their data processing agreements meet minimum adequacy requirements. For example, these agreements must include confidentiality and retention clauses, among others, and must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”

How is the VCDPA going to be enforced?

The Virginia Attorney General has exclusive authority to enforce the VCDPA, though violators must be given notice and a chance to cure any alleged violations within 30-days before the attorney general may seek injunctive relief or monetary damages. Violations carry statutory damages up to $7,500 for each violation, as well as “reasonable expenses incurred in investigating and preparing the case, including attorney fees.”

Notably, there is no private right of action under the VCDPA.

What should businesses do to comply?

While the effective date of Jan. 1, 2023 may seem far off, businesses that foresee a need to comply with the law—either now, or because of projected growth over the next few years—should seriously consider budgeting and planning to comply now. Compliance with privacy regimes almost always tends to be more time and resource intensive than C-suite executives imagine. Bringing information technology and security personnel into the discussion early will help to minimize the squeeze that many businesses felt in trying to comply with the CCPA at the last minute.

Additionally, while the CCPA and VCDPA hold unique positions now as the first and second comprehensive data protection laws in the United States, no privacy professional thinks that is likely to be the state of affairs for long. Several other states are currently considering their own versions of comprehensive privacy laws—any one of which could require compliance by an earlier date.

Reach out to the privacy and data security team at Brooks Pierce to determine if the VCDPA applies to your business and to get assistance with an early start on the compliance process.

Related Articles

Privacy Practice


by Casey Waughn

Data protection is all the rage among tech companies and state, national (and even transnational) governments alike. Is it a passing fad or here to stay? And how should businesses and groups of all sizes handle compliance with a blizzard of new laws?

Data Protection Prompt New Privacy Laws

New England States With Incoming Legislation


by Gregory Sirico

Best Lawyers takes an in depth look at newly proposed bills, litigation and cases coming out of four New England states.

New England Laws Taking Effect in 2022

Recent Developments on Privacy and Data Protection in Brazil


by Ricardo Barretto Ferreira da Silva and Camila Taliberti Ribeiro da Silva

A change of paradigm is urgent and requires a robust legislation on personal data protection.

Privacy and Data Protection Brazil

The Future of Data Privacy: You Can Run but You Can’t Hide (or Can You?)


by Chad W. King

In Ernest Cline’s dystopian novel "Ready Player One," the world’s population is addicted to a virtual reality game called the OASIS.

The Future of Data Privacy

My Data My Rules: An Overview of Data Protection in Brazil


by Fábio Pereira

My Data My Rules

Trending Articles

2025 Best Lawyers Awards Announced: Honoring Outstanding Legal Professionals Across the U.S.


by Jennifer Verta

Introducing the 31st edition of The Best Lawyers in America and the fifth edition of Best Lawyers: Ones to Watch in America.

Digital map of the United States illuminated by numerous bright lights.

Unveiling the 2025 Best Lawyers Awards Canada: Celebrating Legal Excellence


by Jennifer Verta

Presenting the 19th edition of The Best Lawyers in Canada and the 4th edition of Best Lawyers: Ones to Watch in Canada.

Digital map of Canadathis on illuminated by numerous bright lights

Discover The Best Lawyers in Spain 2025 Edition


by Jennifer Verta

Highlighting Spain’s leading legal professionals and rising talents.

Flags of Spain, representing Best Lawyers country

Unveiling the 2025 Best Lawyers Editions in Brazil, Mexico, Portugal and South Africa


by Jennifer Verta

Best Lawyers celebrates the finest in law, reaffirming its commitment to the global legal community.

Flags of Brazil, Mexico, Portugal and South Africa, representing Best Lawyers countries

Presenting the 2025 Best Lawyers Editions in Chile, Colombia, Peru and Puerto Rico


by Jennifer Verta

Celebrating top legal professionals in South America and the Caribbean.

Flags of Puerto Rico, Chile, Colombia, and Peru, representing countries featured in the Best Lawyers

Prop 36 California 2024: California’s Path to Stricter Sentencing and Criminal Justice Reform


by Jennifer Verta

Explore how Prop 36 could shape California's sentencing laws and justice reform.

Illustrated Hands Breaking Chains Against a Bright Red Background

Tampa Appeals Court ‘Sends Clear Message,” Ensuring School Tax Referendum Stays on Ballot


by Gregory Sirico

Hillsborough County's tax referendum is back on the 2024 ballot, promising $177 million for schools and empowering residents to decide the future of education.

Graduation cap in air surrounded by pencils and money

Find the Best Lawyers for Your Needs


by Jennifer Verta

Discover how Best Lawyers simplifies the attorney search process.

A focused woman with dark hair wearing a green top and beige blazer, working on a tablet in a dimly

Paramount Hit With NY Class Action Lawsuit Over Mass Layoffs


by Gregory Sirico

Paramount Global faces a class action lawsuit for allegedly violating New York's WARN Act after laying off 300+ employees without proper notice in September.

Animated man in suit being erased with Paramount logo in background

The Human Cost


by Justin Smulison

2 new EU laws aim to reshape global business by enforcing ethical supply chains, focusing on human rights and sustainability

Worker wearing hat stands in field carrying equipment

Introduction to Demand Generation for Law Firms


by Jennifer Verta

Learn the essentials of demand gen for law firms and how these strategies can drive client acquisition, retention, and long-term success.

Illustration of a hand holding a magnet, attracting icons representing individuals towards a central

Social Media for Law Firms: The Essential Beginner’s Guide to Digital Success


by Jennifer Verta

Maximize your law firm’s online impact with social media.

3D pixelated thumbs-up icon in red and orange on a blue and purple background.

ERISA Reaches Its Turning Point


by Bryan Driscoll

ERISA litigation and the laws surrounding are rapidly changing, with companies fundamentally rewriting their business practices.

Beach chair and hat in front of large magnify glass

How Client Testimonials Fuel Client Acquisition for Law Firms


by Nancy Lippincott

Learn how client testimonials boost client acquisition for law firms. Enhance credibility, engage clients and stand out in a competitive legal market.

Woman holding blurb of online reviews

Critical Period


by Armelle Royer and Maryne Gouhier

How the green-energy raw materials chase is rewriting geopolitics

Overhead shot of mineral extraction plant

Best Lawyers Expands With New Artificial Intelligence Practice Area


by Best Lawyers

Best Lawyers introduces Artificial Intelligence Law to recognize attorneys leading the way in AI-related legal issues and innovation.

AI network expanding in front of bookshelf