Skip to Navigation Skip to Content

In the landscape of data privacy legislation, Virginia made a significant move on March 2, 2021, by enacting the Virginia Consumer Data Privacy Act (VCDPA). This landmark law positioned Virginia alongside other states that have embraced comprehensive data privacy measures, such as California, Florida, Colorado, and more. The VCDPA is slated to become enforceable on January 1, 2023, and it brings unique provisions to the table, setting the stage for a new era of data privacy protection.

Get started with a VCDPA ready Privacy Policy

Get Started

Understanding the Virginia Consumer Data Privacy Act (VCDPA)

The VCDPA, similar to many of its counterparts, is designed to empower consumers with enhanced control over their personal data. To ensure compliance, it is crucial to understand the core components of the VCDPA:

  1. Consumer Rights Under VCDPA:
    • Right to Access and Correct Personal Data: Consumers have the right to access their personal data and request corrections.
    • Transparency in Data Processing: Businesses must disclose how data is collected and processed, and the purposes for which it is used.
    • Opt-Out of Data Sale: Consumers can opt out of the sale of their personal data.
    • Data Portability: Consumers can request their data in a portable format.
    • Non-Discrimination: Businesses cannot discriminate against consumers for exercising their privacy rights.
    • Protection of Minors: Special provisions safeguard the personal data of minors.
  2. Defining Personal Data: 
    • In the context of the VCDPA, personal data includes information that can identify individuals, such as names, addresses, email addresses, and more.

Is the Virginia Consumer Data Privacy Act Applicable to Your Business?

To ensure compliance with the VCDPA, it is essential to determine whether the law applies to your business:

  1. Geographic Scope:
    • Conduct Business in Virginia: If your business conducts activities in Virginia or offers products or services to Virginia residents, it falls under the VCDPA’s jurisdiction.
  2. Data Processing Activities:
    • Processing Personal Data: The VCDPA applies to businesses that process or control the personal data of consumers. This encompasses activities like collecting, storing, and managing consumer data.

Exemptions from the VCDPA

While the VCDPA is extensive in its scope, certain entities are exempt from its provisions, including:

  1. State Agencies and Political Subdivisions: State agencies and political subdivisions in Virginia are exempt from the VCDPA.
  2. Financial Institutions: Entities subject to Title V of the Gramm-Leach-Bliley Act are exempt from the VCDPA. If your business complies with this federal financial privacy law, you may not be subject to the VCDPA.
  3. Healthcare Entities: Businesses regulated by the U.S. Department of Health and Human Services under HIPAA and HITECH are exempt. If your organization handles protected health information (PHI) and complies with HIPAA, the VCDPA’s regulations may not apply.
  4. Nonprofit Organizations and Educational Institutions: Nonprofits and postsecondary educational institutions are also exempt from the VCDPA.

Ensuring Compliance

To ensure compliance with the VCDPA, follow these essential steps:

  1. Determine Applicability: Assess whether your business falls under the jurisdiction of the VCDPA by considering its geographic operations and data processing activities.
  2. Privacy Policy: Develop a comprehensive and easily accessible privacy policy that includes all required elements. Ensure that your policy clearly communicates how personal data is collected, and processed, and the purposes for which it is used.
  3. Data Rights: Create a system that allows consumers to exercise their data rights, including access, deletion, and data portability. Ensure that your staff is trained to respond promptly to these requests.
  4. Transparency: Clearly inform consumers about the sale of their personal data and provide opt-out options, as required by the VCDPA.
  5. Security Measures: Implement appropriate security measures to protect personal data. Regularly assess and enhance your data security protocols to minimize the risk of data breaches.

Looking Ahead

The Virginia Consumer Data Privacy Act is set to take effect on January 1, 2023. To prepare for compliance and ensure your business is well-prepared for the VCDPA, consider the following:

  1. Privacy Gap Assessment: Conduct a thorough assessment of your online services and websites to ensure they are in compliance with VCDPA regulations. Pay special attention to services accessed by minors.
  2. Data Retention: Establish a structured data retention schedule. Ensure that you only retain data for as long as necessary and have clear procedures for data deletion.
  3. Reporting Mechanisms: Develop mechanisms for reporting data breaches. Prompt reporting is essential for maintaining compliance with data breach notification requirements.
  4. Privacy Policies: Create detailed privacy policies, notices, and data protection impact assessments. These documents should provide clear guidance on how personal data is handled.
  5. Personnel Training: Train employees to respond to data subject requests effectively. Your staff should be knowledgeable about the VCDPA and understand the steps required for compliance.
  6. Appeals Process: Institute a clear appeals process for dispute resolution, allowing consumers to challenge your decisions regarding their data.

How Can GetTerms Assist You

If your business falls under the jurisdiction of the Virginia Consumer Data Privacy Act (VCDPA), it’s crucial to initiate compliance preparations well in advance of the effective date. GetTerms offers a range of services to help you efficiently address compliance requirements, including tailored legal policy documentation, staff training, and the generation of cookie consent banners. Take advantage of our solutions today to meet the needs of VCDPA and other relevant privacy regulations. 

CA/VA/CO Privacy Laws – Chart Comparison & Info. Summary

SUBJECT Californa (CPRA) Virginia (VCDPA) Colorado (CPA)
APPLICABILITY For-profits that do business in CA, meeting one of three thresholds:

1. Revenues over $25,000,000;

2. Collect personal information of over 100,000 consumers or households; or

3. Generate at least half of revenues from sales of personal information.

Persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that:

1. Control or process personal data of at least 100,000 consumers per year; or

2. Control or process personal data of at least 25,000 consumers and derive more than half of gross revenues from the sale of personal data.

Controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and:

1. Controls or processes the personal data of 100,000 consumers or more during a calendar year; or

2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

PERSONAL DATA Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, not including publicly available information or deidentified or aggregate consumer information. Personal data means any information that is linked or reasonably linked to an identified or identifiable natural person, not including de-identified data or publicly available information. Personal data means information that is linked or reasonably linkable to an identified or identifiable individual, not including publicly available information.
SENSITIVE INFO. Sensitive personal information means (in summary) personal information that reveals certain information about a consumer. The specific categories of sensitive personal information are listed in the statute and include data types similar to those listed in Virginia and Colorado, and information such as Social Security number, driver’s license, state identification card or passport numbers, account log-in, financial account, debit card or credit card numbers in combination with any required security or access code, password or credentials allowing access to an account, and precise geolocation. Sensitive data means a category of personal data that includes data revealing racial or ethnic origin, religious beliefs, physical or mental health diagnosis, sexual orientation, or citizen or immigrant status, as well as processing of genetic or biometric data for identification, precise geolocation data, and personal data collected from a known child. Sensitive data means personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, a person’s sex life or sexual orientation, citizenship, or citizenship status, as well as genetic or biometric data that may be processed for the purpose of uniquely identifying an individual. The definition also includes personal data from a known child.
KEY EXEMPTIONS [Note: The Personnel and B2B exemptions in CA are scheduled to sunset January 1, 2023, although many expect they will be extended.]

1. Information (not institutions) subject to GLBA or California financial privacy laws

2. Institutions and information subject to HIPAA

3. Data regulated by FCRA, DPPA, FERPA, and others

4. Non-profit organizations

1. Institutions subject to GLBA and its implementing regulations

2. Institutions and information subject to HIPAA

3. Personnel data

4. B2B information

5. Data regulated by FCRA, DPPA, FERPA, and others

6. Non-profit organizations

1. Institutions subject to GLBA and its implementing regulations

2. Institutions and information subject to HIPAA

3. Personnel data

4. B2B information

5. Data regulated by FCRA, DPPA, FERPA, and others

6. Data maintained by state institutions of higher learning for non-commercial purposes

CONSUMER RIGHTS
Right of Access Yes Yes Yes
Right of Portability Yes Yes Yes
Right to Correct Yes Yes Yes
Right to Delete Yes Yes Yes
Opt-out Right Yes Yes Yes
Opt-in Right for processing Sensitive Data No 

(Note: May limit use and sharing.)

Yes Yes
Non-Discrimination Right Yes Yes No
Private Right of Action Yes No No
BUSINESS/CONTROLLER OBLIGATIONS
Notice to Consumers Yes (Notice at Collection specifically required) Yes Yes
Privacy Policy Yes (California Privacy Policy specifically required) No (although required disclosures may be incorporated in the privacy policy) No (although required disclosures may be incorporated in the privacy policy)
Contractual Reqs. for Third Party Service Providers/Processors Yes Yes Yes
Data Processing Impact  No Yes Yes
ENFORCEMENT
Right to Cure None (Note: the existing right to cure sunsets January 1, 2023) 30 days 60 days
Enforcer Dedicated enforcement agency (CPPA),

Attorney General, and

Private litigants

Attorney General Attorney General and District Attorneys

 

Get started with a VCDPA ready Privacy Policy

Get Started