Virginia Passes Consumer Data Protection Act

On March 2, 2021, Governor Northam signed the Virginia Consumer Data Protection Act (CDPA or the Act) making it the country’s second comprehensive data privacy legislation following California’s Consumer Protection Act of 2018 (CCPA). The law will go into effect on January 1, 2023.

The Act will apply to persons or entities that conduct business in Virginia or produce products or services targeting Virginia residents, and that (i) during a calendar year, control or process personal data of at least 100,000 Virginia consumers or (ii) control or process personal data of at least 25,000 Virginia consumers and derive more than 50% of gross revenue from the sale of personal data.

The Act borrows many data protection principles from the California Consumer Privacy Act (“CCPA”) and the General Data Protection Regulation in the European Union. For example, the Act creates obligations for “controllers” (those determining the processing of personal data) and “processors” (those processing the personal data on a controller’s behalf). The Act also similarly defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”

Under the Act, controllers have obligations to, among other things:

1.) Disclose in a privacy notice various processing activities;
2.) Obtain specific affirmative consent before collecting and otherwise processing “sensitive data” concerning a consumer;
3.) Conduct data protection assessments for certain processing activities, such as processing for targeted advertising, processing of sensitive data, and processing that presents a heightened risk of harm to consumers;
4.) Maintain reasonable administrative, technical, and physical data security practices; and
5.) Comply with requests from consumers to exercise the right to access personal data; the right to obtain a copy of personal data; the right to correct inaccuracies; the right to delete personal data; and the right to opt out of processing of personal data for purposes of targeted advertising, profiling for use in making significant decisions concerning the consumer, and selling personal data.

The new law also expressly does not apply to any:

1.) Financial institution or data subject to Gramm- Leach-Bliley Act;
2.) Covered entity or business associate governed by HIPAA;
3.) Nonprofit organization; or
4.) Institution of higher education.

The statute grants the Attorney General exclusive authority to enforce its provisions, subject to a 30-day cure period for any alleged violations.  The Attorney General may seek injunctive relief and damages for up to $7,500 for each violation, as well as “reasonable expenses incurred in investigating and preparing the case, including attorney fees.”

Notably, the VCDPA does not grant consumers a private right of action, unlike the CCPA/CPRA which grants a limited private right of action for consumers whose nonencrypted and nonredacted personal information was subject to unauthorized access and exfiltration.