Virginia’s Consumer Data Protection Act (VCDPA)

Sameer Ahirrao -

Virginia enacted comprehensive privacy legislation which becomes effective from Jan 1, 2023.

VCDPA is an opt-in law, it implies that enterprises have to prove that they have informed consent to process a consumer's sensitive personal information unless an exemption is applicable.
The VCDPA confers upon the consumers (Virginia residents) the following pertaining to their personal data:

1) Right to know

2) Right to access

3) Right to correct

4) Right to delete

5) Right to data portability

6) Right to opt-out of different uses of their personal information

The VCDPA also expands Virginia’s definition of sensitive data, to include personal data revealing, racial or ethnic origin, religious beliefs, sexual orientation, mental or physical health diagnosis, personal data collected from a known child, immigration status, and processing of genetic or biometric data for the purpose of uniquely identifying a natural person.

Applicability of CDPA?

The CPDA applies to enterprises that conduct business in Virginia, or produce products or services that target Virginia residents, and that (1) during a calendar year, control or process personal data of at least 100,000 “consumers” or (2) control or process personal data of at least 25,000 “consumers” and derive over 50% of gross revenue from the sale of personal data. “Consumer” is defined as a natural person who is a resident of Virginia, acting only in an individual or household context.

Our article does not cover the broader sectoral exemptions enshrined under the CDPA.

Diving Deep into VCDPA’s Compliance/Implementation:

Enterprises ought to review their personal data processing activities, data security measures, privacy policies and service provider contracts. Further, as consumer or data subject rights have been of significant importance, fulfillment of such rights brings its own unique challenges. Fulfillment of such rights is at the core of any “Privacy regulation/law”, and is an essential ingredient of any successful “Privacy program”. As a non-brainer that the enterprises ought to comply with the underlying/relevant “Privacy regulations/law”.

Obligations Under The CDPA

1) Limits on collection (Data Minimization): CDPA includes a provision limiting the collection of data to that which is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed.

2) Limits on use: CDPA mandates enterprises to process personal data only for the purposes it was collected for.

3) Technical safeguards: In addition to imposing obligations on the enterprises processing activities, the CDPA, like the CCPA & GDPR, also mandates enterprises "establish, implement, & maintain reasonable administrative, technical, and physical data security practices.

4) Data protection assessments: The CDPA also stipulates controllers to conduct "data protection assessments" that evaluate the risks associated with the specified type of processing activities.

5) Data processing agreements: CDPA mandates that a data processing agreement shall govern the processing activities undertaken by a processor. It provides a set of specific terms to be incorporated in the agreement.

6) Privacy policy: CDPA mandates the controllers to provide consumers with a privacy policy.

What Happens if Companies Don’t Comply With The CDPA?

The Virginia Attorney General will have exclusive authority to enforce violations. Violators will have a 30-day period to cure violations, after which the Attorney General may levy damages of up to $7,500 per violation.

Way Forward:

Though, all the anticipated challenges emanating from the VCDPA implementation may not be covered in this article and though the law is yet to be effective in force the following actionable can be tabulated and summarized for the easy reference as a way forward in brief:

1) To undertake and perform the data privacy of the underlying personal and sensitive data.

2) To maintain and update the latest inventory of the personal and sensitive data.

3) To classify categories and segregate the data/information.

4) To introduce and implement processes and technologies such as automation of fulfillment of data subject rights, data deletion etc.