Virginia Consumer Data Protection Act (VCDPA) | Understand your requirements

Virginia privacy law at a glance

The Virginia Consumer Data Protection Act (VCDPA), effective as of January 1, 2023, is similar in many respects to recent privacy laws passed in California, Connecticut, Colorado, Nevada, and Utah.

What these U.S. state laws have in common is the implementation of a notice and opt-out choice regime. A “notice and opt-out choice regime” means that business can process most types of data as long as there is a consumer-facing privacy notice that describes the intended use of data, and the consumer (data subject) is provided with the opportunity to opt-out of certain uses of such data (e.g., profiling, sale, targeted ads).
‍

What makes the Virginia Consumer Data Protection Act unique?

Unlike California’s CCPA/CPRA and the California Privacy Act, the VCDPA does not include a set of regulations or other regulatory guidance. A regulation is a rule or order that is issued by a government agency to implement a law. Regulations are usually more specific than laws, and they provide guidance on how to comply with the law. So businesses only have the text of the VCDPA to guide their compliance with the law.

The Virginia Consumer Data Protection Act (VCDPA) went into effect on January 1, 2023 and is enforced by the Virginia Attorney General. It’s notable that there’s a 30-day right to cure violations and no private right of action.
‍

Disclaimer
‍
Ketch specializes in giving brands and businesses a platform to simplify privacy operations in a complex regulatory landscape. We are not trying to provide legal advice. Keep reading for a crash-course in VCDPA compliance, including how Ketch can help you meet your regulatory compliance goals.

Who does the Virginia Consumer Data Protection Act apply to?

The VCDPA applies to companies that conduct business in Virginia and/or produce or deliver commercial products or services that are intentionally targeted to Virginia residents and that either:

Controls or processes the personal data of 100,000 or more consumers during a calendar year

Both derives more than 50% of its revenue from the sale of personal data and processes or controls the personal data of 25,000 or more Virginia consumers.

The VCDPA defines “consumers” to mean Virginia residents acting only in an individual or household capacity. It does not include Virginia residents acting in a commercial or employment capacity.

Understanding the VCDPA requirements

The VCDPA mostly adopts a notice and opt-out choice regime, and enables consumers to opt-out of sale, targeted advertising and profiling. Virginia also provides consumers with the right to access, correct, port and delete their data. But there are some nuances to the Virginia Consumer Data Protection Act which are worth noting.

Key Concepts in the Virginia Consumer Data Protection Act

Broad definition of personal information
Like most privacy and data protection laws promulgated over the past five years, Virginia has adopted a broad definition of personal information. It is designed to cover pseudonymous personal data (e.g., IP address, Mobile Advertising ID (MAID), Hashed Email (HEM)) and identifiable personal data (e.g., email or postal address, telephone number). There are exemptions for “public” information and “de-identified” data. Moreover, the rules around data subject access rights do not apply to pseudonymous personal data so long as the controller is able to demonstrate that any information necessary to identify the consumer is stored separately and subject to controls that would prevent the controller from accessing the information.
‍
Consumer Choice / Consent
Virginia mostly has a notice and opt-out choice regime. That means that you can process most types of data, so long as:

There’s a privacy notice provided that describes the intended use of the data, and
The data subject is provided with the opportunity to opt-out of certain uses of such data (e.g., profiling, sale, targeted ads)

But be careful! Virginia requires opt-in consent for the processing of “sensitive information” (see below).

Data Subject Access Requests
A data subject access request (DSAR) is a formal request from an individual (the data subject) to a company, requesting to see a copy of their personal data stored with the company. The VCDPA provides consumers with the right to see the data that companies have on them. Consumers then have the right to correct and/or delete that information. Consumers may also request that their personal data be provided in a form that enables the consumer to port it to a different company. However, the above DSAR requests do not apply to pseudonymous personal data so long as the controller adopts certain controls to ensure that it isn’t able to identify the data subject.
‍
Sensitive Data
The VCDPA has created a new category of data called “Sensitive Data.” Sensitive Data is modeled on “special category” data in EU data protection law. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child.

Virginia requires opt-in consent prior to processing sensitive data. Collecting potentially sensitive data will likely require some adjustments to many companies’ data taxonomy and data governance ruleset.

Controller / Processor / Third Party
The VCDPA utilizes the GDPR terms for controller (i.e., controls the means of processing) and processor (i.e., takes direction from the controller). Similar to California’s CCPA, the VCDPA uses the term “third party” to designate any entity that is NOT a consumer, controller, processor, or an affiliate of the processor or the controller.

Data Governance
Like some other states, Virginia places guard rails around how companies may process data. The expectation is for companies to only collect data that is absolutely necessary (“data minimization”) and to store it for as little time as possible (“data retention”).
‍
Privacy Assessment
Virginia requires companies that engage in certain types of processing activities (e.g., sales, certain profiling, targeted ads, use of sensitive data) to complete Privacy Assessments (PAs): systematic evaluations of their data collection and use practices with an eye towards identifying risks and minimizing or eliminating those risks.
‍
Data Processing Agreements
The VCDPA suggests a data processing agreement (DPA) between controllers and processors. The purpose of a DPA is to outline how the parties plan to ensure that their intra-party data transfers are compliant with privacy laws, and to specify the permitted uses of the data.
‍

The Price of Non-Compliance:
Regulatory Fines Across U.S. State Privacy Laws

While GDPR ushered in a new era of large privacy and compliance fines, a few of the U.S. State Privacy Laws also incorporated some fairly aggressive fine structures. The first CCPA fine was $1.2 million. Fines are often determined by the number of violations–which is often dependent on the number of records in your database. Needless to say, those numbers can add up quickly if you’re working with millions of consumers in one of the states–and the fines typically don’t include legal fees or injunctive relief.

Here’s a thumbnail of the fine structures across various U.S. states, including Virginia:

How to Ensure You’re VCDPA Compliant

If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy. Here are eight key steps every business should take to ensure they don’t fall foul of regulators:

Focus on the scope of the privacy notice(s) presented to data subjects

As noted above, the VCDPA generally operates under a notice and opt-out choice privacy regime. Although the VCDPA ruleset does not focus directly on secondary use of data, it’s nonetheless really important to provide clear and detailed privacy notices.

Label your data

The only way to manage data governance across a full data ecosystem is to individually label every single bit of data you collect, effectively creating a layer of metadata that articulates how any given fact or unit of information can be used [APC1].

Ketch can automatically crawl and scan your data ecosystem to create and maintain that classification of data labeling metadata so that you can understand, and act on data that’s within the scope of the Virginia privacy regulation.

Learn more here

Stay flexible

Your data labels can’t be written in permanent ink. Instead, they need to reflect the rules under which the data subject is operating (which may be subject to change). For that reason, it’s important that your systems are nimble and flexible enough to allow users to change their minds and revoke or modify permissions at any moment.

Tell your partners

Data labels can’t be anchored in your own internal data-handling processes; instead, they need to be incorporated into the data itself. That’s vital because it’s the only way to ensure that changes made by your users will propagate out to your outside partners, and define their data-handling processes too.

Stay up to date

Rules change, and new privacy rules are being written all the time. By encoding compliance metadata directly into your data, you can ensure that your datasets can quickly be brought into compliance not just with Virginia Consumer Data Protection Act as they exist today, but with any new iterations or copycat statutes introduced by other states.

Engage a qualified legal or privacy professional.

Unlike GDPR, the VCDPA does not require the appointment of a data protection or privacy officer with a legally mandated set of responsibilities. Regardless, it’s still a good idea to have an internal person or team dedicated to ensuring privacy compliance. And bringing in an outside resource such as a privacy lawyer can help you make sure you understand all of your compliance obligations.

Document everything

Keeping clear records about how you’re handling data is vital when it comes to communicating with users and regulators.

Getting VCDPA compliant with Ketch

Meeting your company’s obligations under the Virginia Consumer Data Protection Act can seem daunting, especially if you aren’t a regulatory or policy specialist. When you partner with Ketch, we help you ensure your company is compliant with the VCDPA, as well as all other U.S. State Privacy Laws.

With the Ketch Data Permissioning Platform, you can:

Use our “clicks-not-code” interface to create policies for how data is handled throughout your data ecosystem, leveraging our templates for Virginia-specific compliance
Create customized, jurisdictionally-aware privacy notices for your customers
Deploy Ketch data mapping and discovery tools to find and classify sensitive and personal data in every internal and external system
Assign data processing purposes (like analytics or targeted advertising) and permissions to data, so you know exactly how your data may be used, sold, and/or shared
Use our drag-and-drop DSR workflow tool to create automated, end-to-end DSR fulfillment processes that replace internal stakeholder tasks with automated execution of access and deletion requests

When you automate these processes, you enable your internal stakeholders:

Your developers and marketers can do their jobs without fretting about regulations
Your legal team can set guidelines for notice and consent, secure in the knowledge that any changes they make will ripple through your whole data ecosystem (including vendors or third-party companies using your data!)