Published August 12, 2022.
Virginia became the second state in the US to pass a comprehensive data privacy law when the Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021.
The VCDPA takes effect January 1, 2023 and will affect companies and organizations that do business in Virginia, or that produce products or services targeted to residents of Virginia. In other words, your business does not have to be in Virginia to be affected by the VCDPA.
In this blogpost, you can find out more about Virginia’s CDPA, including whether you will be affected and how to become compliant.
What is the Virginia Consumer Data Protection Act (VCDPA)?
Virginia’s data privacy law, most often referred to as the “VCDPA”, is the second comprehensive data protection legislation to be signed into law in the United States after the California Consumer Data Privacy Act (CCPA) and subsequent California Privacy Rights Act (CPRA) broke ground.
The Virginia Consumer Data Protection Act (VCDPA) operates based on the consumer right to opt-out of having personal data collected, processed, and sold. It also requires companies and organizations to obtain the prior consent from end-users if they collect or process sensitive personal data, which we will take a deeper look at below.
This is identical to the EU’s General Data Protection Regulation (GDPR) that has been in effect since 2018. And like the rules for user consent in the EU, the VCDPA also prohibits consent banners (or “cookie banners”) from having pre-ticked boxes, making it clear that end-user consent must be “freely given, specific, informed and unambiguous.”
From January 1, 2023, websites, companies, and organizations who conduct business in Virginia or produce products or services targeted to Virginia residents must comply with the VCDPA’s requirements.
Most important things to know about the VCDPA
Scope and definitions of the VCDPA
- The VCDPA requires companies to ask for and obtain consent from users before processing their sensitive personal data.
- The VCDPA requires that users are able to opt out of having their personal data used for targeted advertising. This is usually done through a consent management platform (CMP) with consent banners (or “cookie banners”) on the website where user data is collected.
- The VCDPA includes so-called “fair information practice principles (FIPPs)” – these define how collection of user data is done in a legal way, e.g. “having a specific, disclosed purpose for collecting personal data” and providing users with a privacy notice and policy detailing what kind of data the website or company collects and how.
- The VCDPA applies to companies or for-profit organizations doing business in Virginia or producing products and services for Virginia residents. If you have a for-profit company located outside of Virginia but you have users from inside Virginia (e.g. by offering online services that Virginia residents use), you are also required to be compliant with the VCDPA.
- The VCDPA defines “sale” as the “exchange of personal data for monetary consideration by a controller to a third party”, e.g. your website to an adtech business.
- The VCDPA defines “processing” as “…any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
- The VCDPA distinguishes between “personal data” and “sensitive personal data”: “Sensitive personal data” includes data from users under the age of 13, health and biometric data, geolocation data and data about racial or ethnic origin, religious beliefs, political convictions, and sexual orientation. It also talks about “de-identified” data – data that is anonymous – and states that controllers must take “reasonable measures to ensure that the data can’t be associated with an individual.”
- The VCDPA takes effect on January 1, 2023 and will be enforced by the Virginia Attorney General.
- Fines for non-compliance with Virginia’s VCDPA can go up to $7,500 per infringement, but a 30-day notice of violation will be issued to non-compliant companies prior to fines with the chance to rectify and become compliant.
What does the VCDPA say about website cookies?
Targeted advertising is when websites and companies use personal data to tailor marketing campaigns to the users, and is defined in the VCDPA as advertising that is “selected based on personal data obtained from a consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.”
In other words, under the Virginia Consumer Data Protection Act (VCDPA), users inside Virginia must be enabled to opt out of cookies and trackers on websites that collect personal data for the purpose of targeted advertising.
This is usually done through a consent management platform (CMP) that automatically detects cookies and controls them based on the consent state of users, as they navigate a consent banner (also known as a ‘cookie banner’) on the website they visit.
So, if your company or organization is already in compliance with the EU’s GDPR, there’s a good chance that with minimal effort, you can make your consent management solution work for compliance with Virginia’s VCDPA too.
If you’re not and looking to start becoming compliant, try our free website scan to see all cookies and trackers in use on your domain.
What are the VCDPA requirements for companies and organizations?
The Virginia Consumer Data Protection Act (VCDPA) requires companies and organizations to adhere to several protocols and duties, when processing data from consumers.
Virginia’s VCDPA asks businesses to ensure that their personal data processing operates based on transparency, security, and consent, much like the EU’s GDPR does.
In a nutshell, what the VCDPA asks companies and organizations to do is to discover what personal data is processed, map out how and to whom they share personal data with third parties, and manage how personal data is stored as well as protect personal data from breaches and abuse.
The VCDPA requires companies and organizations to:
- Provide end-users with a privacy notice that includes what kind of data is processed and why, what kind of data is shared with third parties and who the third parties are, and how and by what means users can exercise their rights,
- Disclose if personal data is processed, by the controller or a third party, for targeted advertisement – and how end-users can opt-out,
- Establish security practices for their data collection and processing,
- Respond to consumer requests within 45 days of receiving the request,
- Establish a way for consumers to appeal a refusal of their initial request,
- Limit collection of personal to what is adequate, relevant, and reasonably necessary for the disclosed purpose of the collection,
- Only process personal data for other purposes than those disclosed if the consumer gives their consent,
- Not discriminate against consumers based on the processing of their data.
In addition to these requirements, companies and organizations (or “controllers”) need to enter into a so-called “controller/processor agreement”, which must disclose the type of personal data that will be processed, the purpose for processing the personal data, and the duration of processing.
For the processor, the agreement comes with certain requirements, including to ensure confidentiality of the data processing, provide all personal data in possession if requested to, and delete all personal data when processing and services are done if requested to.
For companies and organizations already in compliance with the EU’s GDPR and California’s CCPA/CPRA, compliance with Virginia’s VCDPA is pretty straightforward with minimal adjustments.
What does a privacy notice look like under Virginia’s VCDPA?
The VCDPA requires a company’s privacy notice to be posted in the place where the data collection takes place – most commonly a website. It must be easy to find, accessible for end-users, and written in clear and understandable language.
A VCDPA-compliant privacy notice should include:
- Categories of personal data collected or processed on the website,
- Categories of personal data shared with third parties,
- Categories of third parties with whom data is shared,
- Purpose of data collection and processing,
- Disclosure of any data collection and/or processing for the purpose of targeted advertising purposes with clear instructions for how consumers can opt-out.
What rights does Virginia’s VCDPA empower end-users with?
The Virginia Consumer Data Protection Act (VCDPA) affords Virginia residents several rights over the data they generate online.
Virginia’s VCDPA affords residents of the state the following rights:
- To know if their personal data is being collected or processed,
- To get access to their personal data by the controller collecting or processing it,
- To get a copy of their personal data held by a controller in a portable and usable format,
- To not be discriminated against for exercising their rights,
- To have inaccurate personal data corrected,
- To have personal data deleted,
- To opt out of having their personal data collected or processed for the purposes of targeted advertising, sale, and profiling.
Both the consumer rights and business obligations found in the Virginia Consumer Data Protection Act (VCDPA) are closely related to those found in the EU’s General Data Protection Regulation (GDPR) and in the California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA).
Let’s have a look at what’s different and similar about the Virginia VCDPA, EU’s GDPR and California’s CCPA/CPRA.
How is Virginia’s VCDPA different from California’s CCPA/CPRA and EU’s GDPR?
Looking across the Atlantic, Virginia’s VCDPA borrows provisions from another major piece of data privacy legislation, namely the EU’s GDPR.
To reiterate a previous point: for companies and organizations who are already in compliance with the EU’s GDPR and California’s CCPA/CPRA, becoming compliant with Virginia’s VCDPA should be possible with minor adjustments.
In the following section, we outline the most important differences and similarities between the Virginia Consumer Data Protection Act (VCDPA) and the EU’s GDPR and California’s CCPA/CPRA.
Like the EU’s GDPR, Virginia’s VCDPA requires you to obtain explicit and affirmative consent from your website’s users when processing sensitive data. This makes the VCDPA’s consent provision broader and stricter than California’s CCPA/CPRA, which only applies to minors.
The VCDPA’s definition of consent is even word-for-word taken from the EU’s GDPR, requiring the “freely given, specific, informed and unambiguous agreement” to constitute a valid end-user consent.
Also inspired by the EU’s GDPR, Virginia’s VCDPA requires you to perform data protection assessments for so-called “high risk processing” of personal data, which covers if you engage in targeted advertisement, i.e. the selling of personal data and profiling.
When comparing Virginia’s VCDPA to California’s CCPA/CPRA, as we did in the introduction of this article, it becomes clear that (although inspired by California’s model) Virginia has gone its own way with its US data privacy law.
The biggest differences between Virginia’s VCDPA and California’s CCPA/CPRA are –
- Scope: Virginia’s VCDPA applies to fewer websites and businesses than California’s CCPA/CPRA, since entities like government agencies, nonprofits and higher education institutions are exempt from compliance with the law.
- Personal data: Virginia’s VCDPA excludes a much larger part of end-user’s data, since its definition of what is publicly available is much broader than California’s CCPA/CPRA.
- Fines and enforcement: Virginia’s VCDPA comes with much bigger fines and harder penalties than California’s CCPA/CPRA. While both describe maximum penalties of $7,500 per violation, Virginia’s VCDPA also opens for financial recovery of legal fees and investigative costs, and violations are not limited to “intentional violations”. On the other hand, as described above, California allows for a private right of action that can grant end-users up to $750 per violation.
- Sale: Virginia’s VCDPA has a narrower definition of sale, defining it as “the exchange of personal data for monetary consideration by the controller to a third party”, whereas California’s CCPA define it as “any sharing, disclosure or sale of personal information with a third party in exchange for money or other value.”
- Rights: Virginia’s VCDPA empower Virginia residents with much broader opt-out rights than in California, creating a way for end-users in Virginia to not only opt out of the sale of their personal information, but also specifically opt out of targeted advertisement and data profiling, i.e. the collection of personal data and inferences made for the purpose of predicting user behavior.
Unlike both the CCPA and GDPR, the VCDPA does not afford Virginia residents a private right of action, meaning that they cannot sue companies or organizations for violations and infringements. Instead, the Attorney General of Virginia is solely responsible for enforcing the data privacy law.
With the Virginia Consumer Data Protection Act (VCDPA), the US gets another comprehensive state-level data privacy law in the absence of a federal one.
The VCDPA enters into effect on January 1, 2023, so companies and organizations that know that the law will apply to them should start preparing compliance solutions, like a consent management platform (CMP) to handle all personal data processing based on end-user consent and opt-out.
If your company or organization is already in compliance with the EU’s GDPR and California’s CCPA/CPRA, chances are good that you don’t need to do much in order to get your website in compliance with Virginia’s VCDPA too.
Try a free scan to see what cookies and trackers process personal data on your website.
What is the VCDPA?
The VCDPA – or Virginia Consumer Data Protection Act – is the data privacy law of the state of Virginia. It governs the collection and processing of personal data from Virginia residents. It sets out key rights, such as the right to opt-out of having personal data sold to third parties or used for targeted advertisement. The VCDPA takes effect on January 1, 2023.
Who does the VCDPA apply to?
The VCDPA applies to companies or for-profit organizations doing business in Virginia or that produces products and services for Virginia residents. If you have a for-profit company located outside of Virginia but you have users from inside Virginia (e.g. by offering online services that Virginia residents use), you are also required to be compliant with the VCDPA.
What are the most important things to know about the VCDPA?
The Virginia Consumer Data Protection Act (VCDPA) regulates the collection and processing of personal data from Virginia residents by for-profit companies and organizations, most importantly by requiring that businesses make their data collection transparent in privacy and cookie policies and enable the users to opt-out of and give prior consent to processing personal and sensitive personal data.
What is the VCDPA definition of personal data?
The VCDPA defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable natural person (de-identified data or publicly available information is exempt). The VCDPA also distinguishes between “personal data” and “sensitive personal data”, the latter includes data from users under the age of 13, health and biometric data, geolocation data and data about racial or ethnic origin, religious beliefs, political convictions, and sexual orientation.