Online businesses targeting Virginia consumers and have personal data of 100,000 consumers in the state must conform to the new statute.

Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice, Woods Rogers Vandeventer Black

February 18, 2021

5 Min Read

Rarely do Virginia and California fall into the same legislative camp, but if the Virginia Consumer Data Protection Act is signed by its governor (as is widely expected), both states will have a sweeping data privacy act. And in the absence of a federal data privacy law, individual states continue to fill gaps centered on consumers, businesses, and the collection of data.

Who's Covered By VCDPA
Businesses that "conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data."   

Remember that conducting business in the age of e-commerce can mean simply operating a website that targets residents in Virginia. Thus, if you are a business with a website targeting Virginia consumers and have the personal data of at least 100,000 of those consumers, you likely fall under the arm of the statute and need to take steps to comply. This is a notable departure from California's CCPA, which centers on businesses with a $25 million revenue threshold; possess personal data of more than 50,0000 consumers; or earn more than half their annual revenue selling consumers' personal data. Virginia's legislation centers instead solely on Virginia consumers served or data sold.

A series of businesses are exempt from VCDPA, including those that fall under HIPAA or Graham-Leach-Bliley financial regulations, nonprofit organizations, institutions of higher education, and governmental entities in Virginia.

What Is Personal Data Under VCDPA?
The act defines personal data as "any information that is linked or reasonably linked to an identifiable or identifiable natural person." It does not include de-identified data or publicly available data. And, most notably, it also does not include a "natural person acting in a commercial or employment context." In other words, personal data applies almost strictly to consumer data. The act exempts data generated for business contacts or information held on employees.

VCDPA creates a second threshold for "sensitive data," which it defines as data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status.

Business-to-business communications and contacts are specifically also carved out, relying instead on consumer-driven data collection. Thus, if you are a business that operates by sales teams reaching out directly to other businesses, you may not fall under the definition of "personal data" as the  VCDPA defines it. Similarly, photographs, videos, and audio recordings are exempt from the definition of biometric data.

The VCDPA grants rights to consumers to confirm the personal data being processed by a business, to obtain a copy of that data, or to request the business delete that personal data. And, notably, the act allows that a consumer may opt out of the processing of the personal data for targeted advertising, sale, or profiling of the consumer. 

The Compliance Countdown Is On 
The act takes effect Jan. 1, 2023, a compliance deadline that also lines up with the recently passed California Consumer Rights Act. 

This will most certainly continue to drive the conversation toward a federal data privacy act. Right now, a patchwork of states are creating laws that are driving the consumer data privacy conversation. If the governor signs the VCDPA as expected, Virginia will have beaten Maryland, Minnesota, New York, and Washington to the punch in a national conversation.  

Security Professionals Must Be Particularly Mindful 
The VCDPA requires that businesses "establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data." The act goes a step further and adds these teeth: "Such data security practices shall be appropriate to the volume and nature of the personal data at issue." In other words, if a business is storing or processing high volumes of consumer information, it will be held to a higher standard. 

The VCDPA requires that businesses "limit the collection of personal data to what is adequate, relevant, and reasonably necessary." In other words, businesses must be mindful of how they collect information and the duration for which they store this data. As many security professionals know, this is in many ways mission critical to limiting the fallout zone of a future potential data incident. The less sensitive data a business stores, the less risk the organization shoulders if an incident occurs.

The VCDPA will continue to push forward the national conversation on data privacy rights and the security of consumer data. Privacy and security go hand in hand under these data privacy acts showing that many companies must not only defend against external forces attempting to access data but also improper internal collection of consumer information.  

Rather than wait for January 2023, all businesses — especially those with a national footprint — are well served to begin analyzing their data footprints now and taking steps toward compliance with Virginia and California's new enhanced privacy protections for consumers.

About the Author(s)

Beth Burgin Waller

Chair, Cybersecurity & Data Privacy Practice, Woods Rogers Vandeventer Black

As chair of the Cybersecurity & Data Privacy practice at Woods Rogers Vandeventer Black (WRVB), Beth's practice is fully devoted to cybersecurity and data privacy. Clients ranging from local government and state agencies to mid-market firms and Fortune 200 companies depend on Beth for advice and counsel. Beth's credentials in the field are extensive. She is a certified Privacy Law Specialist by the International Association of Privacy Professionals (IAPP), which is accredited by the American Bar Association. In addition, she is a Certified Information Privacy Professional with expertise in both US and European law (CIPP/US & CIPP/E) and a Certified Information Privacy Manager (CIPM), also from the IAPP. In 2022, the governor of Virginia appointed Beth to the Commonwealth of Virginia’s first Cybersecurity Planning Committee, a committee tasked with increasing the cybersecurity posture of public bodies and local governments in Virginia.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights