The VCDPA came into effect January 1, 2023 and affects companies and organizations that do business in Virginia, or that produce products or services targeted at residents there. Organizations do not have to be based in Virginia to be affected by the VCDPA.
What is the Virginia Consumer Data Protection Act (VCDPA)?
Virginia’s data privacy law was influenced by the California Consumer Data Privacy Act (CCPA).
The Virginia Consumer Data Protection Act (VCDPA) operates based on the consumer right to opt out of having personal data collected, processed, and sold. Personal data can be collected and processed without consumers’ consent, but they have to be provided the option to opt out of that at any point. Organizations do have to obtain prior consent from consumers if they collect or process sensitive personal data, which is specifically categorized in the VCDPA.
This differs from the European Union’s General Data Protection Regulation (GDPR), which has been in effect since 2018 and requires user consent prior to data collection or processing. However, like the rules for user consent in the EU, the VCDPA requires consent to be freely given, informed, and explicit.
From January 1, 2023, websites, companies, and organizations who conduct business in Virginia or produce products or services targeted to Virginia residents must comply with the VCDPA’s requirements if they meet the law’s compliance thresholds.
Most important things to know about the VCDPA
Scope and definitions of the VCDPA
- The VCDPA does not require companies to ask for and obtain consent from users before processing their personal data generally. It does require prior consent if the personal data is categorized as sensitive.
- The VCDPA requires that users be able to opt out of having their personal data used for targeted advertising. This can be done via a consent management platform (CMP) with a consent banner or cookie banners on the website where user data is collected.
- The VCDPA includes fair information practice principles (FIPPs), which define how collection of user data is to be done legally, e.g. having a specific, disclosed purpose for collecting personal data and providing users with a privacy notice and policy detailing what kind of data the website or company collects and how, and any third parties with which it may be shared.
- The VCDPA applies to companies or for-profit organizations doing business in Virginia or producing products and services for Virginia residents. If you have a for-profit company located outside of Virginia but you have users residing in the state, you are also required to be compliant with the VCDPA if your organization meets the compliance thresholds.
- The VCDPA defines “sale” as the “exchange of personal data for monetary consideration by a controller to a third party”, e.g. your website to an adtech partner.
- The VCDPA defines “processing” as “…any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
- The VCDPA distinguishes between “personal data” and “sensitive personal data”: “Sensitive personal data” includes data from users under the age of 13, health and biometric data, geolocation data and data about racial or ethnic origin, religious beliefs, political convictions, and sexual orientation.
- The VCDPA also references “de-identified” or anonymized data – data that has been processed so it could no longer be used to identify individuals – and states that controllers must take “reasonable measures to ensure that the data can’t be associated with an individual.”
- The VCDPA is enforced by the Virginia Attorney General.
- Fines for noncompliance with Virginia’s VCDPA can be up to $7,500 per infringement, but a 30-day notice of violation will be issued to non-compliant companies prior to fines with the chance to rectify and become compliant (i.e. “cure period”).
What does the VCDPA say about website cookies?
Targeted advertising is when websites and companies use personal data to tailor marketing campaigns to the users, and is defined in the VCDPAas advertising that is “selected based on personal data obtained from a consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.”
This opt out option can be provided with a consent management platform (CMP) that automatically detects cookies and other tracking technologies in use and controls them based on the expressed consent preferences of users as they navigate a consent banner or cookie banner on websites they visit.
So, if your company or organization is already in compliance with the EU’s GDPR, limited effort should be required to make your consent management solution work for compliance with Virginia’s VCDPA as well. As noted, prior consent is only required sometimes, but users must always have an opt-out option later on, and must always be informed about data collection, use, and sharing.
If you need to become compliant, get started by trying our free website scan to see all cookies and trackers in use on your domain.
What are the VCDPA requirements for companies and organizations?
The Virginia Consumer Data Protection Act (VCDPA) requires companies and organizations to know what personal data from users is collected and processed, map out how and with which third parties they share personal data, and manage how personal data is stored, protecting it from breaches and abuse.
The VCDPA requires companies and organizations to:
- Provide end users with a privacy notice that includes what kind of data is processed and why, what data is shared with third parties and who the third parties are, and how and by what means users can exercise their rights
- Disclose if personal data is processed, by the controller or a third party for targeted advertisement, and how end-users can opt out
- Establish security practices for data collection and processing
- Respond to consumer requests within 45 days of receiving the request (with the possibility of extension under specific circumstances)
- Provide a way for consumers to appeal a valid refusal of their initial request (e.g. if user identity verification was not adequate)
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose of the collection
- Only process personal data for purposes other than those disclosed if the consumer gives their prior consent (also if the processing purposes change after they have begun)
- Not discriminate against consumers based on consumers exercising their rights.
In addition to these requirements, companies and organizations (controllers) need to enter into a controller/processor agreement which must disclose the type of personal data that will be processed, the purpose for processing the personal data, and the duration of processing.
For the processor, the agreement comes with certain requirements, including ensuring confidentiality of the data processing, providing all personal data in their possession if requested, and deleting all personal data when processing and services are done if requested.
For companies and organizations already in compliance with California’s Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), compliance with Virginia’s VCDPA should be fairly easy to achieve with minimal adjustments.
Who has to comply with the VCDPA?
Organizations collecting and processing personal data in Virginia are required to comply with the VCDPA if they are for-profit and processing the data of Virginia residents. These additional requirements apply:
- control or process personal data of 100,000 or more consumers during a calendar year, or
- control or process personal data of 25,000 or more consumers and derive over 50 percent of their gross revenue from the sale of that personal data
The data privacy laws in California are different as a company’s gross annual revenue can be a compliance criterion on its own in that state. This is not the case in Virginia.
What does a privacy notice look like under Virginia’s VCDPA?
The VCDPA requires a company’s privacy notice to be posted in the place where the data collection takes place, most commonly on the website. It must be easy to find, accessible for end users, and written in clear and understandable language.
A VCDPA-compliant privacy notice should include:
- Categories of personal data collected or processed on the website
- Categories of personal data shared with third parties
- Categories of third parties with whom data is shared
- Purpose of data collection and processing
- Disclosure of any data collection and/or processing for the purpose of targeted advertising purposes with clear instructions for how consumers can opt-out
What rights does Virginia’s VCDPA give end users?
The Virginia Consumer Data Protection Act (VCDPA) provides Virginia residents with several rights over the data they generate and share online.
Virginia’s VCDPA affords residents of the state the following rights:
- To know if their personal data is being collected or processed
- To get access to their personal data by the controller collecting or processing it
- To get a copy of their personal data held by a controller in a portable and usable format
- To not be discriminated against for exercising their rights
- To have inaccurate personal data corrected
- To have personal data deleted
- To opt out of having their personal data collected or processed for the purposes of targeted advertising, sale, or profiling
Both the consumer rights and business obligations found in the Virginia Consumer Data Protection Act (VCDPA) are closely related to those found in the California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA).
Let’s have a look at what’s different and similar about the Virginia VCDPA, EU’s GDPR and California’s CCPA/CPRA.
How is Virginia’s VCDPA different from California’s CCPA/CPRA and EU’s GDPR?
Looking across the Atlantic, Virginia’s VCDPA does borrow provisions from the GDPR, but the laws passed in California have also influenced it.
Like the EU’s GDPR, the state-level laws in the US, including Virginia’s VCDPA, do not require organizations to obtain user consent before processing their personal data in most cases. The only time they are required to obtain explicit and affirmative consent from website users prior to data collection or processing is when the data is that of a known child or when processing sensitive data.
Like the EU’s GDPR, Virginia’s VCDPA requires you to obtain explicit and affirmative consent from your website’s users when processing sensitive data. This makes the VCDPA’s consent provision broader and stricter than California’s CCPA/CPRA, which only applies to minors.
The VCDPA’s definition of consent is taken word for word from the EU’s GDPR, requiring valid consent to be “freely given, specific, informed and unambiguous agreement”.
Like the EU’s GDPR, Virginia’s VCDPA requires you to perform data protection assessments (DPAs)for any high risk processing of personal data, which provides protection if companies sell personal data or use the services of third-party processors, for example.
Some notable differences between Virginia’s VCDPA and California’s CCPA/CPRA are:
- Scope: Virginia’s VCDPA applies to fewer websites and businesses than California’s CCPA/CPRA, since entities like government agencies, nonprofits and higher education institutions are exempt from compliance with the law.
- Personal data: Virginia’s VCDPA excludes more types of end users’ data, since its definition of what is publicly available is much broader than California’s CCPA/CPRA.
- Fines and enforcement: Virginia’s VCDPA comes with much bigger potential fines and harsher penalties than California’s CCPA/CPRA. While both describe maximum penalties of US $7,500 per violation, Virginia’s VCDPA also opens for financial recovery of legal fees and investigative costs, and violations are not limited to “intentional violations”. On the other hand, as described above, California allows for a private right of action (the ability for individuals to sue violators) that can grant end users up to US $750 per violation.
- Sale: Virginia’s VCDPA has a narrower definition of sale, defining it as “the exchange of personal data for monetary consideration by the controller to a third party”, whereas California’s CCPA define it as “any sharing, disclosure or sale of personal information with a third party in exchange for money or other value.”
- Rights: Virginia’s VCDPA empowers Virginia residents with much broader opt-out rights than in California, creating a way for end users in Virginia to not only opt out of the sale of their personal information, but also specifically opt out of targeted advertisement and data profiling, i.e. the collection of personal data and inferences made for the purpose of predicting user behavior.
Unlike both the CCPA and GDPR, the VCDPA does not afford Virginia residents a private right of action, meaning that they cannot sue companies or organizations for violations and infringements. Instead, the Attorney General of Virginia is solely responsible for enforcing the data privacy law.
In the absence of a federal law, with the Virginia Consumer Data Protection Act (VCDPA), the US gets another comprehensive state-level data privacy law.one.
The VCDPA entered into effect on January 1, 2023, and enforcement began then as well. Companies already complying with the CCPA/CPRA and/or GDPR have already done some of the work toward potential required compliance with the VCDPA. Companies that are not yet compliant need to become familiar with their responsibilities and consumers’ rights if they fall within compliance thresholds. A consent management solution can help with achieving compliance on websites for cookie and tracking usage.
Cookiebot CMP by Usercentrics is a global market leader in the field of consent management platforms (CMP). We can help you achieve VCDPA compliance and ensure accurate, up to date notification of website and app users.
Try a free scan to see what cookies and trackers process personal data on your website.
The VCDPA – or Virginia Consumer Data Protection Act – is the data privacy law of the state of Virginia. It governs the collection and processing of personal data from Virginia residents. It sets out key rights, such as the right to opt-out of having personal data sold to third parties or used for targeted advertisement. The VCDPA takes effect on January 1, 2023.
The VCDPA applies to companies or for-profit organizations doing business in Virginia or that produces products and services for Virginia residents. If you have a for-profit company located outside of Virginia but you have users from inside Virginia (e.g. by offering online services that Virginia residents use), you are also required to be compliant with the VCDPA.
The Virginia Consumer Data Protection Act (VCDPA) regulates the collection and processing of personal data from Virginia residents by for-profit companies and organizations, most importantly by requiring that businesses make their data collection transparent in privacy and cookie policies and enable the users to opt-out of and give prior consent to processing personal and sensitive personal data.
The VCDPA defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable natural person (de-identified data or publicly available information is exempt). The VCDPA also distinguishes between “personal data” and “sensitive personal data”, the latter includes data from users under the age of 13, health and biometric data, geolocation data and data about racial or ethnic origin, religious beliefs, political convictions, and sexual orientation.