What is the Virginia Consumer Data Protection Act (VCDPA)?

The VCDPA gives consumers the right to access their personal data and request that it be deleted by businesses. It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes. The law even contains some restrictions on the use of de-identified data, or data modified to no longer directly identify individuals from whom the data were derived. 

Entities conducting business in Virginia must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. Entities must control or process (i) the personal data of at least 100,000 consumers in a calendar year, or (ii) the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data. 

How does the VCDPA differ from the CCPA?

At just eight pages, the VCDPA is significantly more succinct than the California Consumer Privacy Act (CCPA). Analysis by Bloomberg Law suggests that the law’s brevity and clarity may result in the VCDPA becoming a model for future privacy legislation. 

The VCDPA clearly defines whose personal data is covered, describing consumers as Virginia residents “acting only in an individual or household context.” It further clarifies that consumers are not those acting in a “commercial or employment context.” Unlike California, where the B2B and employee exclusions have been the subject of several statutory amendments, Virginia has chosen not to leave those potential compliance hurdles up in the air. 

Additionally, businesses must satisfy one of the aforementioned thresholds to fall within the statute’s scope, and unlike California, the VCDPA makes no mention of a threshold based solely on annual gross revenue. Entities are not left to question whether the processing of data from a dozen or so consumers will subject them to the law. 

Virginia’s law has no significant recordkeeping requirements, aside from documenting data protection assessments. If a business already has in place a GDPR- or CCPA-compliant process for receiving and responding to data subject or consumer access requests, that process should be sufficient to handle requests from Virginia residents. 

What are some potential points for clarification in the VCDPA?

1. Applicability

The VCDPA applies to persons who “conduct business” in the Commonwealth or produce products or services that are “targeted” to residents of Virginia. The statute, however, does not define what “targeted” means.

2. Right to Delete

The VCDPA permits consumers to request the deletion of personal data and was amended in April 2022 to include an exception for businesses that obtained such personal data from a source other than the consumer. However, it’s unclear whether the VCDPA’s general exceptions related to internal operations and other technical uses of data extend to consumer requests to delete personal data. It is also uncertain how Virginia will enforce consumer requests to delete personal data that has been incorporated into an automated decision-making algorithm—an issue that Bloomberg Law analysis has identified as relevant to several state consumer privacy laws. 

3. Access and Data Portability

The VCDPA grants consumers a right to obtain a copy of their personal data, and it specifically indicates that the copy be provided “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance ….” But that provision also includes a modifier: “where the processing is carried out by automated means.” It’s not clear what, exactly, “automated means” modifies. 

4. Targeted Advertising

The VCDPA defines “personal data” as any information that is “linked or reasonably linkable to an identified or identifiable natural person,” but the term does not include information that could be linked to a consumer’s device. 

It’s questionable whether the legislature intended to permit the use of cookies and IDFAs (Identifiers for Advertisers). 

5. Children’s Data

While the VCDPA extends to both online and offline data collection practices, it specifies that if a consumer is a child, the controller must comply with the federal Children’s Online Privacy Protection Act (COPPA). But COPPA applies only to personal information collected from children online. Does that leave controllers off the hook if they collect personal data from children offline? 

Close

Analysis: Five Subtle Ambiguities in Virginia’s Privacy Law

Read the full article for more in-depth analysis of a handful of points from the VCDPA that experts say could use additional clarification. 

What are some limitations to the VCDPA?

The Virginia law has carve-outs for protected health information under the Health Insurance Portability and Accountability Act (HIPAA), as well as for personal data regulated by the Family Educational Rights and Privacy Act (FERPA). Those falling outside the scope of the law also include state agencies, nonprofit organizations, colleges and universities, and entities or data subject to Title V of the Gramm-Leach-Bliley Act (GLBA), which largely regulates banks and other financial institutions. 

Virginia residents won’t be able to directly sue over violations of the law. Enforcement will be left in the hands of the state attorney general, who can seek damages of up to $7,500 per violation. 

A plus for business is the law’s 30-day cure period, which allows companies that receive letters alleging noncompliance to communicate with the attorney general’s office and remedy any potential violations before fines are imposed. 

Additionally, unlike the CCPA, the Virginia data privacy law explicitly allows businesses to offer different prices and levels of service to consumers enrolled in loyalty programs without having to comply with certain obligations. 

Five Subtle Ambiguities in Virginia’s New Privacy Law

Virginia is to be commended for encapsulating a comprehensive privacy regime in just eight pages. Its Consumer Data Protection Act (VCDPA), which goes into effect Jan. 1, 2023, offers a tailored approach to consumer privacy that contrasts sharply with the sweeping California Consumer Privacy Act (CCPA), its accompanying regulations, and the forthcoming changes wrought by the California Privacy Rights Act (CPRA). Still, Virginia’s law could use a little clarification on five key points.

Kudos to Kristen Mathews, a partner with Morrison & Foerster, and Courtney Barton, Vice President and Senior Counsel at Marriott International, who brought these conundrums to light in a recent presentation at the Privacy + Security Forum’s Virtual Spring Academy.

Since the VCDPA does not specifically mandate the adoption of regulations, any clarification of these issues will likely start with a statutorily created working group—the Consumer Data Protection Work Group—which is charged with reviewing the provisions of the act as well as any issues related to its implementation.

The work group comprises several ex officio members of the Commonwealth—namely, the secretary of Commerce and Trade, the secretary of Administration, the attorney general, and the chairman of the Senate Committee on Transportation—along with consumer rights advocates and representatives of businesses who control or process the personal data of at least 100,000 persons. At the time of this writing, those additional members have not yet been identified.

The group’s “findings, best practices, and recommendations” are due Nov. 1, which is less than five months away. Here’s hoping the group will address the following questions raised by Mathews and Barton (who was speaking on her own behalf and not on behalf of Marriott).

1. Applicability

The VCDPA applies to persons who “conduct business” in the Commonwealth or produce products or services that are “targeted” to residents of Virginia. Va. Code § 59.1-572.A. The statute, however, does not define what “targeted” means.

Would targeting be akin to “offering ... goods or services” as in Article 3 of the EU’s General Data Protection Regulation (GDPR)? Or would it require some sort of purposeful conduct directed at Virginia, not unlike what’s required in cases addressing personal jurisdiction? See, for example, ALS Scan, Inc. v. Digital Serv. Consultants, Inc., 293 F.3d 707 (4th Cir. 2002).

Moreover, the VCDPA supplements both prongs—i.e., “conducting business” or “targeting residents"— with an additional qualifier: the person must either (i) control or process the personal data of at least 100,000 residents, or (ii) control or process the personal data of at least 25,000 residents and derive over 50% of gross revenue from the sale of personal data.

If a processor happens to meet the 100K threshold without specifically “targeting” Virginia residents—think, for example, of a website aimed at alumni of a state university located outside of Virginia—would satisfaction of the 100K threshold alone be sufficient to satisfy the “conducting business” prong?

2. Right to Delete

The VCDPA permits consumers to request the deletion of personal data, but it fails to set forth any specific exceptions to the right to delete. Va. Code § 59.1-573.A.3.

The CCPA/CPRA, by contrast, permits a business to refuse to comply with a deletion request where, for example, the personal information is needed to complete a transaction or to fulfill the terms of a warranty. Cal. Civ. Code § 1798.105.

The GDPR similarly provides exceptions to the so-called “right to erasure.” It permits controllers to retain personal data in order to comply with a legal obligation or when needed to defend legal claims, for example. See GDPR Art. 17.

While the VCDPA does set forth generic exceptions in subdivision A of Va. Code § 59.1-578—some of which mirror the exceptions mentioned in the California and EU laws above—the only exceptions that apply to “obligations imposed on controllers” and, more specifically, to the retention of personal data, are listed under subdivision B. Those exemptions are restricted to the performance of internal operations and other technical uses of data.

Arguably, the only recognized exceptions to a request to delete would fall under subdivision B, since deletion is an “obligation” imposed on controllers and any denial of a deletion request would amount to the “retention” of personal data. Therefore, it would be helpful to know if a controller denying a deletion request may also rely on any of the broader exceptions listed under subdivision A.

3. Access and Data Portability

The VCDPA grants consumers a right to obtain a copy of their personal data, and it specifically indicates that the copy be provided “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance ....” Va. Code § 59.1-573.A.4. But that provision also includes a modifier: “where the processing is carried out by automated means.”

Mathews questions whether “automated means” modifies the requirement to make the personal data portable or the overarching consumer right to access personal data. I question whether it modifies the processing by the original controller or the one to whom the data is being transferred.

The “automated means” language is lifted directly from the text of GDPR Art. 20. Perhaps significantly, the GDPR contains another clause that is not reproduced in the VCDPA: Personal data deemed “portable” must also have been processed on the basis of consent or contract. The GDPR provision thus refers to the processing of the original controller.

But since the VCDPA does not condition processing on a legal basis, its use of the “automated means” language is less clear.

Moreover, while both the GDPR and the VCDPA apply to automated and manual processing of personal data, the GDPR restricts the scope of manual processing to situations where personal data is contained or is intended to be contained in a “filing system,” GDPR Art. 2. The VCDPA contains no similar limitation.

Given the VCDPA’s omission of the GDPR’s contextual limitations, the work group should offer much-needed clarification.

4. Targeted Advertising

The VCDPA defines “personal data” as any information that is “linked or reasonably linkable to an identified or identifiable natural person.” Significantly, it does not include information that could be linked to a consumer’s device.

Since most trackers used in the adtech ecosystem identify devices, not individuals, the scope of the consumer’s right to opt out of the processing of personal data for purposes of targeted advertising, found in Va. Code § 59.1-573.A.5, would be profoundly ineffectual.

It’s questionable whether the legislature intended to permit the use of cookies and IDFAs (Identifiers for Advertisers). But if it did, advertisers will be quite pleased!

5. Children’s Data

While the VCDPA extends to both online and offline data collection practices, it specifies that if a consumer is a child, the controller must comply with the federal Children’s Online Privacy Protection Act (COPPA). But COPPA applies only to personal information collected from children online. Does that leave controllers off the hook if they collect personal data from children offline?

Most likely not, but clarification is certainly needed.

Moreover, the VCDPA classifies personal data collected from a child as “sensitive data,” and the statute prohibits the processing of sensitive data without consent. It’s in that context that the VCDPA refers to COPPA. Va. Code § 59.1-574.

Does that mean that COPPA is applicable only insofar as it provides requirements (in the corresponding federal regulations) for securing parental consent? Or, do other COPPA provisions apply, such as instances where parental consent is not necessary?

Indeed, given the heightened sensitivity of children’s personal data, the work group should offer guidance on these matters.