February 18, 2022

What you need to know about the Virginia Data Privacy Law

Virginian organizations will have to invest more time and resources into data management in the next few years due to the signing of the Virginia Consumer Data Protection Act.

Event Date:
Hosted By:
Register Now
Mark Rowan

Most organizations deal with data governance and data classification in some capacity. However, Virginian organizations will have to invest more time and resources into data management in the next few years due to the signing of the Virginia Consumer Data Protection Act.

In this article, we’ll explore what the Virginia Consumer Data Protection Act is and what it means for businesses that serve customers and clients in Virginia.

What is The Virginia Consumer Data Protection Act (VCDPA)?

Consumers have the right to see their data and request that firms erase their personal information under the VCDPA. It also mandates that businesses complete data security audits when processing personal data for targeted advertising and sales.

To be included in the statute's scope, businesses operating in Virginia must meet one of two criteria, both of which address a minimum number of impacted customers. In a calendar year, entities must control or handle the personal data of at least 100,000 customers, or the personal data of at least 25,000 consumers, with the sale of such data accounting for more than 50% of gross income.

Consumers are Virginia residents "acting exclusively in an individual or household setting," according to the VCDPA, which explicitly outlines who is protected. It goes on to say that consumers do not include anyone who are engaged in a "commercial or job environment." Unlike California, where the B2B and employee exclusions have been the subject of many legislative changes, Virginia has decided not to leave those possible compliance difficulties up in the air. Aside from reporting data protection assessments, Virginia's statute has no major record keeping obligations. If a company currently has a GDPR or CCPA-compliant mechanism in place for accepting and responding to data subject or consumer access requests, it should be enough to handle requests from Virginia residents.

The VCDPA vs Other Data Privacy Laws

There are substantial distinctions between the Virginia privacy legislation and the GDPR and CCPA that we've been accustomed to. The first is a definition of the term "consumer." In Virginia, a consumer is defined as someone who is mainly a Virginia resident "operating exclusively in an individual or home setting," but excludes "any person engaging in a business or job context." The information maintained from business-to-business or PII belonging to workers is not covered by data privacy rules. 

VCDPA is also unusual in terms of how data sales are defined. "Unlike the CCPA, which allows personal data to be traded for 'monetary or other valued compensation,' the CDPA requires that the consideration be monetary to qualify as a data sale," according to IAPP. There are several exceptions to this rule, such as data that customers knowingly make public (e.g., through a social media posting), data disclosures to a third party offering a specific service or product, and data transfers during a corporate merger or acquisition. As the VCDPA takes shape, keep an eye on the exclusion of data given by consumers on social media or for large public consumption. Because internet users now spend an average of 2 hours and 24 minutes each day on social networks and messaging applications, and share personal material and information while doing so, data footprints on social media are important. Consumers, on the other hand, are worried about how social media businesses exploit personal data submitted on such platforms. Residents in Virginia may believe that the VCDPA will shield them from such abuse, but the law currently stands, there will be no safeguards for anything uploaded openly.

VCDPA Exceptions

The new Virginia privacy legislation will not apply to every business in the state. There are other organizations that are excluded, in addition to those that do not fulfill the previously established data collecting and consumer requirements. Governments and government agencies in Virginia will be excluded from the law. Exemptions will be granted to companies that are subject to the Gramm-Leach-Bliley Act and HIPAA regulations.The VCDPA will not apply to non-profit organizations or higher education institutions.

There are data exemptions as well. Health information covered by HIPAA and other health-related regulations, as well as employee data maintained by an employer for business and benefit purposes, are examples. Personal information obtained in accordance with the federal Driver's Privacy Protection Act, as well as information gathered under the federal Family Educational Rights and Privacy Act, is excluded.

How Will the VCDPA Affect My Business?

Businesses that do business in Virginia, provide products or services for Virginia people, and manage or process the personal data of at least 100,000 Virginia residents are subject to the VCDPA. If selling personal data accounts for more than half of a company's overall income, the limit is dropped to 25,000 customers. As a result, some firms maybe able to avoid the VCDPA entirely. A company might comply with the legislation by ensuring that it does not control or handle personal data for the purposes of the VCDPA or that it falls below the bar. The bill exempts public, nonprofit, and higher education institutions, as well as financial institutions regulated by the Gramm-Leach-Bliley Act or businesses subject to specific HIPAA standards. However, exempt organizations should be aware that, as in California, general industry data collecting and usage practices may alter in ways that harm them as well.

The VCDPA applies to businesses that are either "controllers" of personal data or "processors" that conduct actions on personal data on behalf of a controller, such as "collection, use, storage, disclosure, analysis, deletion, or modification." Receiving, validating, and dealing with legitimate consumer personal data requests, as well as putting up an appeals procedure for requests they refuse, controllers comply with the law. They must also comply with the VCDPA by only collecting personal data that is "adequate, relevant, and reasonably necessary," providing disclosures and privacy notices, implementing "reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data," preventing de-identified data from being re-identified, and conducting and documenting "data protection assessments." These private evaluations enable firms to demonstrate why the benefits of using personal data outweigh any dangers to consumer rights, as well as how they minimize those risks. While assessments add to the expense of compliance, they are expected to aid companies in shaping the new law's enforcement.

Processors generally comply through their contracts with controllers, which must include instructions and specifics on how to treat personal data. Processors must also work with controllers to ensure that the legislation is followed and that consumer data is protected. Businesses that are controllers or processors under the VCDPA are entitled to a variety of exemptions from their requirements, which are mostly based on the limits on consumers' new privacy rights. Many of the particular responsibilities imposed on organizations owning or processing data amount to a reasonableness need to protect personal data of consumers and handle it only when required and for legitimate reasons. The controller is primarily responsible for compliance, with support from the processor. Enforcement will most likely sort out the bounds of reasonableness.

Sign up to be notified
about future publications!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
February 18, 2022

What you need to know about the Virginia Data Privacy Law

Virginian organizations will have to invest more time and resources into data management in the next few years due to the signing of the Virginia Consumer Data Protection Act.

Date:
Hosted By:
Register Now

Most organizations deal with data governance and data classification in some capacity. However, Virginian organizations will have to invest more time and resources into data management in the next few years due to the signing of the Virginia Consumer Data Protection Act.

In this article, we’ll explore what the Virginia Consumer Data Protection Act is and what it means for businesses that serve customers and clients in Virginia.

What is The Virginia Consumer Data Protection Act (VCDPA)?

Consumers have the right to see their data and request that firms erase their personal information under the VCDPA. It also mandates that businesses complete data security audits when processing personal data for targeted advertising and sales.

To be included in the statute's scope, businesses operating in Virginia must meet one of two criteria, both of which address a minimum number of impacted customers. In a calendar year, entities must control or handle the personal data of at least 100,000 customers, or the personal data of at least 25,000 consumers, with the sale of such data accounting for more than 50% of gross income.

Consumers are Virginia residents "acting exclusively in an individual or household setting," according to the VCDPA, which explicitly outlines who is protected. It goes on to say that consumers do not include anyone who are engaged in a "commercial or job environment." Unlike California, where the B2B and employee exclusions have been the subject of many legislative changes, Virginia has decided not to leave those possible compliance difficulties up in the air. Aside from reporting data protection assessments, Virginia's statute has no major record keeping obligations. If a company currently has a GDPR or CCPA-compliant mechanism in place for accepting and responding to data subject or consumer access requests, it should be enough to handle requests from Virginia residents.

The VCDPA vs Other Data Privacy Laws

There are substantial distinctions between the Virginia privacy legislation and the GDPR and CCPA that we've been accustomed to. The first is a definition of the term "consumer." In Virginia, a consumer is defined as someone who is mainly a Virginia resident "operating exclusively in an individual or home setting," but excludes "any person engaging in a business or job context." The information maintained from business-to-business or PII belonging to workers is not covered by data privacy rules. 

VCDPA is also unusual in terms of how data sales are defined. "Unlike the CCPA, which allows personal data to be traded for 'monetary or other valued compensation,' the CDPA requires that the consideration be monetary to qualify as a data sale," according to IAPP. There are several exceptions to this rule, such as data that customers knowingly make public (e.g., through a social media posting), data disclosures to a third party offering a specific service or product, and data transfers during a corporate merger or acquisition. As the VCDPA takes shape, keep an eye on the exclusion of data given by consumers on social media or for large public consumption. Because internet users now spend an average of 2 hours and 24 minutes each day on social networks and messaging applications, and share personal material and information while doing so, data footprints on social media are important. Consumers, on the other hand, are worried about how social media businesses exploit personal data submitted on such platforms. Residents in Virginia may believe that the VCDPA will shield them from such abuse, but the law currently stands, there will be no safeguards for anything uploaded openly.

VCDPA Exceptions

The new Virginia privacy legislation will not apply to every business in the state. There are other organizations that are excluded, in addition to those that do not fulfill the previously established data collecting and consumer requirements. Governments and government agencies in Virginia will be excluded from the law. Exemptions will be granted to companies that are subject to the Gramm-Leach-Bliley Act and HIPAA regulations.The VCDPA will not apply to non-profit organizations or higher education institutions.

There are data exemptions as well. Health information covered by HIPAA and other health-related regulations, as well as employee data maintained by an employer for business and benefit purposes, are examples. Personal information obtained in accordance with the federal Driver's Privacy Protection Act, as well as information gathered under the federal Family Educational Rights and Privacy Act, is excluded.

How Will the VCDPA Affect My Business?

Businesses that do business in Virginia, provide products or services for Virginia people, and manage or process the personal data of at least 100,000 Virginia residents are subject to the VCDPA. If selling personal data accounts for more than half of a company's overall income, the limit is dropped to 25,000 customers. As a result, some firms maybe able to avoid the VCDPA entirely. A company might comply with the legislation by ensuring that it does not control or handle personal data for the purposes of the VCDPA or that it falls below the bar. The bill exempts public, nonprofit, and higher education institutions, as well as financial institutions regulated by the Gramm-Leach-Bliley Act or businesses subject to specific HIPAA standards. However, exempt organizations should be aware that, as in California, general industry data collecting and usage practices may alter in ways that harm them as well.

The VCDPA applies to businesses that are either "controllers" of personal data or "processors" that conduct actions on personal data on behalf of a controller, such as "collection, use, storage, disclosure, analysis, deletion, or modification." Receiving, validating, and dealing with legitimate consumer personal data requests, as well as putting up an appeals procedure for requests they refuse, controllers comply with the law. They must also comply with the VCDPA by only collecting personal data that is "adequate, relevant, and reasonably necessary," providing disclosures and privacy notices, implementing "reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data," preventing de-identified data from being re-identified, and conducting and documenting "data protection assessments." These private evaluations enable firms to demonstrate why the benefits of using personal data outweigh any dangers to consumer rights, as well as how they minimize those risks. While assessments add to the expense of compliance, they are expected to aid companies in shaping the new law's enforcement.

Processors generally comply through their contracts with controllers, which must include instructions and specifics on how to treat personal data. Processors must also work with controllers to ensure that the legislation is followed and that consumer data is protected. Businesses that are controllers or processors under the VCDPA are entitled to a variety of exemptions from their requirements, which are mostly based on the limits on consumers' new privacy rights. Many of the particular responsibilities imposed on organizations owning or processing data amount to a reasonableness need to protect personal data of consumers and handle it only when required and for legitimate reasons. The controller is primarily responsible for compliance, with support from the processor. Enforcement will most likely sort out the bounds of reasonableness.

Let's talk

Ready To Discuss Your Data Challenges?

Contact us

you may also like