Virginia’s Consumer Data Protection Act
Emerging Privacy and Data Protection Framework
2020 brought privacy and data protection into acute focus, as employees around the world worked remotely and sensitive health information became a primary point of interest. This change in practices means that data security is no longer a secondary concern; rather, it is now a primary vulnerability for any business, with increased costs–both due to data breaches as well as regulatory penalties.
Without a national framework, the California Consumer Privacy Act (CCPA) continues to lead the way, particularly with the addition of the California Privacy Rights Act (CPRA) in November 2020. This legislative framework brought California closer to Europe’s General Data Protection Regulation (GDPR), which is the worldwide standard-bearer.
Due to cross-jurisdictional businesses and world-wide information sharing, Virginia businesses should strive for GDPR compliance if possible, as the costs and risks associated with noncompliance are increasingly high.
Virginia Consumer Data Protection Act
Bringing this recommendation into greater clarity, the Virginia General Assembly recently approved the Virginia Consumer Data Protection Act (VCDPA), which was effective January 1, 2023. The VCDPA provides data protection rights for Virginia residents, while imposing affirmative duties on Virginia businesses related to the collection and use of consumer data.
Consumer Data Protection Act. Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising.
The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort.
Find more information in this Virginia Office of the Attorney General (OAG) informational recap.
This was a major legislative step for Virginia. Moreover, it is likely to be strengthened over time, drawing it closer to California’s regime and the European GDPR.
With the emerging focus on data protection and privacy–and in light of the numerous regulatory frameworks that could apply to a Virginia-based company–businesses should act now to create a compliant framework. The VCDPA will likely apply to companies that interact with Virginia residents, or process the personal data of Virginia residents on a larger scale. The VCDPA does not define “conducting business in Virginia,” but economic activity that triggers tax liability or personal jurisdiction in Virginia may be a good test for whether the VCDPA applies to your business.
In addition to the internal business requirements, the VCDPA imposes vendor risk management obligations. This includes express contract protections related to a vendor’s data processing of a company’s information. With the proliferation of cloud-based service and storage solutions, this requirement is increasingly relevant both as a matter of legal compliance and as a matter of secure business operations.
Virginia’s Existing Data Protection and Privacy Framework
Virginia had pre-existing Data Protection and Privacy rules in VA Code § 18.2-186.6. The statute requires an individual or entity that owns, maintains, or possesses personal identifying information of Virginia residents, who has a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, to report the unauthorized breach to the Office of the Virginia Attorney General (OAG) and to provide notification to each affected Virginia resident.
In short, if your Virginia business possesses “personal identifying information”–such as social security numbers, credit card numbers, passport numbers, dates of birth, etc.–and you believe that a third party has accessed or taken this information without permission, then you have a data breach. Once you suspect a data breach, then there are numerous steps that you must take to comply with the statute.
The statute prescribes specific requirements for the notification to the OAG and to the individuals affected. In addition to any civil action for actual damages and other regulatory sanctions, the OAG may bring a civil action that carries a fine of up to $150,000 per breach.
The nuances of covered entities, covered data, and the notification requirements can be complex. Preventative maintenance and a thoughtful approach to your entity’s handling of privacy data is essential to any Virginia business. Read more here about a thoughtful and preventative approach to handling data and your business’s IT risks.
If your Virginia entity believes that a data breach has occurred, your entity should immediately consult with experienced IT professionals and with our office to discuss the applicable requirements to act immediately.
There are separate statutes applicable to the disclosure of private health information by state and local entities. Likewise, HIPPA and other federal prescriptions apply to covered health information.
The heightened risks highlighted in 2020 and the stricter regulations that have emerged over the last few years are here to stay. Virginia businesses can no longer avoid creating a thorough and compliant data protection and privacy framework; instead, thoughtful leaders must embrace these changes and challenges to position their companies for continued success.