March 05, 2021
Virginia's newly enacted privacy regulation—what does it mean for businesses and how does it compare to other U.S. privacy laws?
On March 2, 2021, Virginia became the second state to enact comprehensive privacy regulation. California passed the California Consumer Privacy Act (CCPA) in 2018 and recently extended privacy protections in the California Privacy Rights Act (CPRA). The Virginia Consumer Data Protection Act (VCDPA) is another example of the expansion of data privacy in the U.S. There is considerable overlap between the VCDPA and the CPRA, as well as similarities between the VCDPA and the European General Data Protection Regulation (GDPR). There are also some differences between the VCDPA and the other privacy laws, which companies need to make sure to consider to ensure compliance.
What does this mean for businesses? Here are a few key points.
The VCDPA goes into effect on January 1, 2023, so businesses have time to prepare and update their compliance programs.
The VCDPA applies to organizations that conduct business in Virginia or produce products or services that target Virginia residents and that:
Compared to the CCPA, the VCDPA doubles the amount of consumer data that must be collected or processed for a business to fall within its scope.
The VCDPA, like the CPRA and GDPR, includes a broad definition of personal data: “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Notably, the VCDPA’s definition does not include de-identified data or publicly available information. The VCDPA defines “public information” to include information that is “lawfully made available through federal, state, or local government records” and “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media . . . unless the consumer has restricted the information to a specific audience.”
The VCDPA includes many exemptions, including:
Borrowing from both the CPRA and the GDPR, the VCDPA provides consumers with several rights, including the right to:
Similar to the GDPR, Virginia’s law establishes “controller” and “processor” roles, which differentiate how entities handle personal data. Controllers are those who determine the purposes and means of processing personal data, while processors are entities that process personal data on behalf of a controller and at the controller’s direction. The law assigns different obligations based on an entity’s status as a controller or processor. The VCDPA imposes several obligations on controllers, including:
Another concept borrowed from the GDPR is the requirement that controllers obtain consumers’ informed consent before processing “sensitive data.” Sensitive data include:
Importantly, the CPRA includes a sensitive data category, but requires businesses to provide consumer with the ability to opt out of the processing of sensitive data. The VCDPA, on the other hand, requires consumers to opt in.
The VCDPA does not provide for a private right of action; enforcement is solely through the attorney general. If the attorney general decides to take action, the office must notify the controller, which then has 30 days to cure the violation and provide the attorney general with an “express written statement that the alleged violations have been cured and that no further violations shall occur.” If a controller fails to cure a violation, it could face up to $7,500 per violation.
In preparing to comply with both the CPRA and VCDPA, companies will have to navigate the convergence and diversion between the two laws, which could be difficult. Fortunately, both the CPRA and VCDPA provide a two-year ramp-up period, giving businesses time to understand their compliance obligations. As other states, such as Washington, consider privacy regulations, companies will have to continue to be diligent to understand the nuances to ensure compliance. Nixon Peabody will continue to monitor and report on developments as the privacy landscape continues to shift.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.
Data Privacy & Cybersecurity Alert | 06.11.21
Employment Alert | 02.24.21
Privacy Alert | 01.15.21