<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Virginia Consumer Data Protection Act (VCDPA)

The data privacy law of the state of Virginia.

Book a Demo

What is your web compliance score?

Data Privacy Scanner Results Home Screen

 

What is Virginia's Consumer Data Protection Act?

The Virginia Consumer Data Protection Act, known also as the VCDPA, is the privacy law of the state of Virginia that regulates how organizations can obtain, process, use, store and distribute  personal information of Virginia residents. 

The VCDPA comes to regulate the way personal information and sensitive personal information is collected and handled, the way consent is obtained, how geolocation data is collected, how data is sold, or how targeted advertising affects compliance. In addition to this, Virginia's privacy law grants your website visitors with a range of consumer rights, similar to the ones granted by the GDPR or California's CCPA.

Last but not least, Virginia's data privacy law (VCDPA) is an opt-in law which means you must inform your website visitors of the data you are obtaining and processing, and you must collect explicit and affirmative consent from your website visitors in order to legally obtain that data.

The Virginia Consumer Data Protection Act was passed on March 2nd, 2021, and came into effect on January 1st, 2023. 

Keep on reading below to find out more about Virginia's consumer privacy act and starting your journey to compliance today by getting answers to questions such as:

  • Does VCDPA apply to my business?
  • What consumer rights does VCDPA grant to Virginians?
  • What are the penalties for violations of the VCDPA?

    and more... 

 

How does the VCDPA define Personal Information and what are other key definitions? 

Virginia's consumer privacy law defines personal information as "any information that is linked or reasonably linkable to an identified or identifiable natural person." However, same as with Colorado's privacy law, VCDPA states that this does not include de-identified data or publicly available information.

In addition to this, under the general concept of personal information, Virginia's law includes biometric data, geolocation data, or sensitive data.

‘Biometric data’ is any data data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual, but does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

‘Precise geolocation data’ means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet, but which does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

The Virginia privacy law (CDPA) also offers definitions for ‘controller,’ the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information, or  ‘processor,’ who is defined as a natural or legal entity that processes personal information on behalf of a controller.

As concerns the definitions for 'child,'  the VCDPA sees a ‘child’ as any natural person younger than 13 years of age, and defines ‘personal data’ as any information that is linked or reasonably linkable to an identified or identifiable natural person, but which does not include de-identified data or publicly available information.

Last but not least, ‘sensitive data’ means a category of personal information that includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal information collected from a known child; or precise geolocation data.

 

Who does the Virginia Consumer Data Protection Act apply to?

Virginia's law applies to for-profit organizations who conduct business in Virginia or whose target audience includes residents of the state of Virginia; and who  

    • control or process personal information of at least 100,000 consumers; or
    • control or process personal information of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal information.

Unlike the CCPA, for example, Virginia's privacy law has no revenue threshold imposed, so businesses of all sizes can find themselves covered by the scope of Virginia's consumer privacy law, depending on their collection and processing of consumer data.

Who does the Virginia Consumer Data Protection Act exempt? 

The Virginia data protection act does not apply to the following types of entities: 

  • Any body, authority, board, bureau, commission, district or government agency in Virginia, or any political subdivision located in the state;
  • Financial institutions or data that is subject to Title V of the Gramm-Leach-Bliley Act;
  • Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (P.L. 111-5);
  • Nonprofit organizations;
  • Higher education institutions.

What are the requirements for businesses under the Virginia Consumer Data Protection Act? 

In order to be compliant with the VCDPA, your organization should: 

  1. Limit the collection of personal information to only that which is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer”;
  2. Limit the use of personal information, meaning do “not process personal information for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal information is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent”;
  3. Not process sensitive personal information without obtaining consent and in the case of sensitive personal information about children, follow COPPA’s rules;
  4. Implement technical safeguards for your website, meaning “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal information. Such data security practices shall be appropriate to the volume and nature of the personal information at issue”;
  5. Establish  data protection assessments (“DPAs”), to determine any potential risks resulting from processing activities. There are no clear guidelines as to the frequency of the assessments or how long their results must be kept;

    a) Similar to the GDPR, if there is an instance where personal information is processed by a data processor on behalf of a data controller, this can only be done following a data processing agreement which must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties”;
  6. Provide your website visitors with a Privacy Policy that  includes the following: 
  • The categories of personal information that will be collected;
  • The purposes for collecting personal information;
  • How your website visitors can exercise their data subject access rights, or appeal a controller’s decision in regards to a submitted request; 
  • The categories of personal information that are being shared with a third party, if any; and
  • The categories of third parties with whom you share the personal information of your website visitor, if any. 

What data access rights does the Virginia Consumer Data Protection Act grant? 

Virginia's privacy law (CDPA) provides your website visitors with a series of data access rights, including: 

  • Right to access: your website visitors have a right to confirm whether or not you are processing their personal information and to access such personal information;
  • Right to correct: they have the right to correct inaccuracies in their personal information, taking into account the nature of the personal information and the purposes of the processing of their personal information;
  • Right to delete: self explanatory, they have the right to delete any personal information provided by or obtained about them. 
  • Right to data portability: your website visitors have the right to obtain a copy of their personal information that they previously provided to you in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the information to another controller without hindrance, where the processing is carried out by automated means;
  • Do Not Sell my Personal Information / Opt Out: individuals have the right to opt out of the processing of their personal information for the purpose of targeted advertising, sale of personal information or profiling as regards advancing decisions which may have actual or similar legal effects over the individual. 
  • Finally, the Virginia Consumer Data Protection Act gives your website visitors the Right to appeal, meaning that if you refuse to respond to a data subject access request within the legal timeframe (45 days from the date of receiving the request) you are obliged to “establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable time after the consumer's receipt of the decision." If the appeal is also denied, you must inform the individual whose appeal you refused how they can file a complaint with the Attorney General. 

Virginia Consumer Data Protection Act (VCDPA) compliant website with Clym

Book a Demo

How to respond to consumer requests under the Virginia Consumer Data Protection Act? 

You must reply to a consumer request “without undue delay, but in all cases within 45 days of receipt of the request submitted.” You are allowed to extend this by another 45 days, “when reasonably necessary, taking into account the complexity and number of the consumer's requests” as long as you inform the person who submitted the request of the extension within the initial 45 days period, and you include the reason for the extension.

Before replying to a request, you must be able to authenticate said request. If you are unable to do so, you are not required to comply with the request and may request additional information “reasonably necessary to authenticate the consumer and the consumer's request.”

The information you provide in response to a request has to be “free of charge, up to twice annually per consumer.” However, Virginia's privacy act states that “if requests from a consumer are manifestly unfounded, excessive, or repetitive,”you may “charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request” but you are responsible with “demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.”

If an individual wishes to appeal your refusal to grant their request, you are required to establish a process for this to be possible. The appeal process has to be “conspicuously available and similar to the process for submitting requests to initiate action.”

Last but not least, within 60 days of receiving an appeal, you are required to inform the person who appealed your decision, in writing, of any action taken or not taken in connection with their appeal, along with a written explanation of the reasons for this. If their appeal is denied, you must provide them with “an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.”

 

Virginia Consumer Data Protection Act enforcement and penalties

The provisions of the Virginia Consumer Data Protection Act are enforced by the state Attorney General.

Prior to taking any action against your business, the Attorney General will provide you with a 30 day written notice of the specific parts of this privacy law that you have violated. Generally, if within the 30 days you cure the violation(s) and provide an express written statement that these have been cured and that no further violations will occur, no action will be taken against you.

However, if you continue to violate any of the provisions of the Virginia Consumer Data Protection Act following the cure period, or you breach an express written statement previously provided to the Attorney General, you are liable to be charged with a civil penalty of up to $7,500 for each violation. It is important to note that each “violation” could be each customer record under your control; penalties can therefore add up quickly.

 

Data Subject Rights - GDPR vs. Virginia Consumer Data Protection Act

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;

  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

 

FAQs about the Virginia Consumer Data Protection Act

What does the Virginia Consumer Data Protection Act apply to?

The Virginia Privacy Act applies to any for-profit organization that conducts business in Virginia or targets residents of the state and which controls or processes the personal information of 100,000 consumers or more, or which controls or processes the personal information of 25,000 consumers or more and also derive more than 50%  of their revenue from the sale of personal information.

What is exempt under Virginia's privacy law?

The Virginia Consumer Data Protection Act excludes several types of entities, such as: bodies, authorities, board, board, bureau, commission, district, or government agency in Virginia, or any political subdivision located in the state; financial institutions or data that covered by Title V of the Gramm-Leach-Bliley Act; entities covered by HIPAA, nonprofit organizations, and higher education institutions.

What data subject rights does the Virginia data protection act (CDPA) grant Virginia residents?

Virginia's data protection act (CDPA) gives consumers the following data rights: the right to access, correct, or delete, the right to be informed, the right to data portability, the right to opt out of the processing of their personal information for the purpose of targeted advertising, sale of personal information or profiling, and the right to appeal a refusal by the controller. 

What are the penalties for non-compliance with the Virginia Consumer Data Protection Act?

The Attorney General allows for a 30 day cure period for violations, after which organizations are liable to be charged with a civil penalty of up to $7,500 for each violation. Because the Virginia Consumer Data Privacy Act mandates that each violation can be each customer record under your control, this means that penalties can add up quite fast.

What is the difference between the Virginia Consumer Data Protection Act and the CCPA?

The Virginia Consumer Data Protection Act requires that controllers obtain opt-in consent from consumers before processing their personal data, whereas California's CCPA is an opt-out law, meaning that it requires controllers to limit the use or disclosure of the sensitive personal information of consumers upon request. Virginia's privacy law is enforced solely by the Attorney General, whereas the CCPA is enforced by both the dedicated privacy office, the California Consumer Privacy Agency (CPPA), and the Attorney General. Last but not least, the VCDPA allows for a period of 45 days for consumer requests, whereas the CCPA only allows 30 days. 

illustration of contact means

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596