On March 2, 2021, Virginia became the second state in the nation to enact a privacy protection law. The new law is called the Virginia Consumer Data Protection Act (VCDPA), and it goes into effect on January 1, 2023. Given the almost two-year lag between the enactment and effective dates, covered businesses will have sufficient time to plan ahead and take steps to comply with the law.
The VCDPA applies to organizations conducting business in Virginia, or that produce products or services that target Virginia residents. In addition, to be covered, an organization must also control or process personal data of at least 100,000 consumers in a calendar year, or control and process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. Some entities are not covered by the new law, including governmental entities, higher education institutions, and nonprofits. Certain types of data are excluded from coverage under the VCDPA including employee data, information governed by federal regulations such as Fair Credit Reporting Act and the Children’s Online Privacy Protection Act. Financial institutions and data subject to the Gramm-Leach-Bliley Act are also excluded from the requirements of the VCDPA. And, entities and data governed by the Health Insurance Portability and Accountability Act are not covered.
The Act gives consumers the right to, among other things, opt out of the processing of personal data for the purpose of targeted advertising, the sale of their personal data, and profiling. However, the VCDPA does not give individuals the right to enforce the statute—in other words, there is no private right of action, and only the state attorney general has enforcement authority.
In light of the passage of the new Virginia law, entities covered under it will not only have to grapple with updating policies and procedures to meet their obligations under the VCDPA, but they must also pay attention to other privacy laws that govern them now or that may govern them in the future to assure that those policies and procedures address any areas where the patchwork of privacy protection laws may diverge.