On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“VCDPA”) into law, making Virginia the second state to pass comprehensive data privacy legislation. While this law does not take effect until January of 2023, let’s take a look at the basics of the act in order to prepare ourselves for the coming changes.
Who is restricted by the VCDPA?
The VCDPA applies to all entities that conduct business in the Commonwealth or those that produce products or services that are targeted to residents of the Commonwealth and that either:
(A) control or process the personal data of at least 100,000 consumers during a calendar year; or
(B) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data
The VCDPA specifically excludes the following entities:
(i) bodies, boards, and agencies of the Commonwealth of Virginia or any political subdivision of the Commonwealth;
(ii) any financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.);
(iii) any covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5);
(iv) nonprofit organizations;
(v) institutions of higher education.
Essentially, the VCDPA will apply to just about any large-scale business that regularly interacts with Virginia residents.
What is “personal data” under the VCDPA?
The Act defines personal data as, “any information that is linked or reasonably linkable to an identified or identifiable natural person. ‘Personal data’ does not include de-identified data or publicly available information.”
The Act specifically excludes several categories of data (all will not be listed), which include:
1. Protected health information under HIPAA;
2. Information regulated by the Fair Credit Reporting Act;
3. Information protected by the Drivers Privacy Protection Act;
In short, any information that is covered by another statute.
The Act includes a category called “sensitive data” which includes personal data regarding racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, and citizenship or immigration status. This category includes precise geolocation data, the processing of genetic or biometric data for the purpose of identifying a person, and personal data collected from a child. Sensitive data requires consent to be processed by an entity to which this Act applies.
What are my obligations if this law applies to me?
What rights are granted to consumers?
Under the VCDPA consumers have the right to:
Penalties
The Attorney General has the exclusive authority to enforce the Act by seeking injunction relief and/or monetary damages. Violations can result in fines up to the amount of $7,500.00 per violation. The Act does not create a private right of action for consumers.
If you have questions about this article, please contact Sean Mackin (smackin@setlifflaw.com) at 804-377-1272, or Steve Setliff (ssetliff@setlifflaw.com) at 904-377-1261.
© 2024 Setliff Law, P.C.| View Our Disclaimer | Privacy Policy