The Governor of Virginia signed the state’s Consumer Data Protection Act (VCDPA) into law, marking it the second state in the U.S. to codify a major privacy and data protection law, after California. The VCDPA follows some of the arrangements of the California Consumer Privacy Act (CCPA) as amended by the Consumer Privacy Rights Act (CPRA), but still departs from them in important parts.
Effective January 1, 2023, the VCDPA applies to personal data so long as it is not “de-identified data or publicly available information”. Importantly, the VCDPA extends its protection to Virginia residents “acting only in an individual or household context”, and not to “a natural person acting in a commercial or employment context”. Organizations subject to the VCDPA are those conducting business in Virginia or targeting Virginia residents, and who either annually process personal data of 100,000 or more Virginians or process personal data of at least 25,000 Virginians while deriving over 50 percent of their gross revenue from the sale of personal data.
Virginians will have various rights under VCDPA, including a right to know whether a company processes their personal data and receive a copy of it; correct inaccurate data; delete data; opt-out of the sale of their personal or its use for targeted ads; opt-out of any profiling that is used for decision-making that significantly impacts the person.
The VCDPA also will bind data controllers to data processing measures such as purpose-limitation and data minimization, data security, non-discrimination, data protection assessments, and transparency to data subjects. The Virginia attorney-general would have exclusive authority to enforce the VCDPA.
The VCDPA will also prohibit processing “sensitive data” absent the consumer’s consent, which must be through a clear affirmative act signifying the freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Sensitive data covers data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, precise geolocation data, sexual orientation, genetic or biometric data, or citizenship or immigration status, and any personal data collected from a person under 13.
CLICK HERE to read the Virginia Consumer Data Protection Act.