Sic Semper Privacy: Virginia Becomes Second State to Enact Consumer Privacy Law

Well, we all knew it was coming.

The longer the US continues without a comprehensive federal privacy law to rival Europe’s GDPR, the more the individual states are going to move to fill the void—and also make sure they’re not completely outdone by California where the curtain’s already dropping on CCPA and everyone’s getting ready for the second act of CPRA. It is, however, a bit surprising to see Virginia beat the State of Washington as the next in line. But sure enough, on March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“VCDPA”) into law. Like California’s CCPA replacement, the CPRA, Virginia’s VCDPA will take effect on January 1, 2023.

As with most similar laws, VCDPA gives consumers new rights to access and control the personal data that businesses collect about them. For businesses, the Virginia law imposes new obligations that include:

  • obtaining data subject consent in certain circumstances
  • implementing a security program
  • restricting sales of personal data
  • conducting data impact assessments
  • using specialized contract terms with third parties

The popular media has been quick to run with all manner of such comparisons between California’s current law, the CCPA, and the VCDPA. While there are certainly similarities in a few key areas, a close read of Virginia’s new law suggests that VCDPA resembles the GDPR at least as much as it does CCPA.

For instance, while the VDCPA, like its California analog, requires detailed notices to data subjects, creates various data subject access rights and puts restrictions on the sale of personal information, the Virginia law’s third party oversight, impact assessment and security program obligations are considerably more extensive than what is currently required in California, and much similar to GDPR.

Over the course of the next few weeks, we’ll break down all the major elements of VCDPA. Today, we begin at the beginning with the basics of who and what are covered.

Who does the VCDPA Protect?

Similar to California, Virginia’s new act states that it protects Virginia “consumers.” As with California, however, the word consumer is a bit of a misnomer. Understood colloquially and under many other legal regimes, a consumer is typically a purchaser/user of goods and services. That’s not at all the case under the Virginia law. Under the VCDPA, the word “consumer” actually means “a natural person who is a resident [of Virginia][ . . . ] in an individual or household context [to the exclusion of purely business/employment contexts].”

Who must comply with the VCDPA?

The VCDPA covers all “persons” who either conduct business in Virginia or, as is similar to the standard set by the GDPR, who “target” residents in Virginia if, in both cases, those persons control, process or sell certain prescribed volumes of personal data in the course of a calendar year.

Like CCPA, the Virginia law has certain exemptions to who is covered. These exemptions are, however, notably different from CCPA. Both the California and Virginia laws have HIPAA and GLB exemptions. In California, those exemptions apply only to the affected data itself, not the overall business. In Virginia, the HIPAA and GLB exemptions read more broadly: if your business is governed by HIPAA or GLB, it is entirely exempt from VCDPA.

What is Protected?

The VCDPA protects “personal data” using a fairly straightforward, and by now familiar, definition. To wit: “information that is linked or reasonably linkable to an identified or identifiable natural person.” The list of what’s excluded from that definition is somewhat extensive spanning about 18 separate items that include:

  • business data
  • employment data
  • de-identified data;
  • publicly available data;
  • HIPAA data (note this is separate from and appears supplemental to the exemption for entities governed by HIPAA);
  • human research, public health, patient safety and related data; and
  • data governed by various additional U.S. federal laws, including FERPA, which is the educational equivalent to GLB.

Notably, the business and employment data exemptions in Virginia are baked right into the language of the statute itself. In California, those exemptions exist, for now anyway, only by virtue of special ancillary laws having only temporary effect.

How is it Protected?

In our next installment, we’ll review how VCDPA seeks to protect personal data and where its most extensive obligations can be found. In the meantime, remember our refrain about applying the Pareto Principle to data security and privacy (discussed here among other places). If you take the following steps, your compliance program will be ready for most of whatever Virginia, Washington, Minnesota or any other jurisdiction require:

  • adopt a risk-based technical and administrative data protection program;
  • take the time to actually implement that program (“saying” it is one thing, “doing it” is another);
  • tell your employees and customers what you’re doing with the data you collect about them and why;
  • give your employees and customers some degree of access to, and autonomy over, that data;
  • keep a close eye on third parties (including vendors) with whom you share that data; and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.