The Virginia Consumer Data Protection Act

On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (the “VCDPA”) into law. The VCDPA, which will become effective January 1, 2023, creates rights and obligations related to the collection and processing of consumer personal data. While many of these rights are similar to what we have seen under the California Consumer Protection Act (“CCPA”) or Europe’s General Data Protection Regulation (“GDPR”), many rights, such as the right to appeal the denial of a consumer data request and the establishment of a 30-day cure period, are new.

A business that controls or processes consumers’ personal information must comply with the VCDPA if they: (a) conduct business in the Commonwealth of Virginia or (b) produce products or services that are targeted to residence of the Commonwealth of Virginia; and:

  • During a calendar year, control or process personal data of at least 100,000 consumers, or
  • Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data

The VCDPA confers six rights to consumers, the majority of which can be exercised via a consumer request:

  1. Right to confirm whether a controller is processing a consumer’s personal data
  2. Right to access the personal data processed by a controller
  3. Right to correct inaccuracies in the consumer’s personal data
  4. Right to delete personal data provided by or obtained by a controller
  5. Right to obtain a copy of the personal data a consumer has provided to the controller in a portable and readily usable format; and
  6. Right to opt out of processing of personal data for:
    1. Targeted advertising
    2. Sale of personal data; and
    3. Profiling

The first five rights above may be exercised by a consumer pursuant to a consumer request. Businesses must establish a secure and reliable process for consumers to submit authenticated requests to exercise their consumer rights. The requirements of a consumer request process are similar to those established under the CCPA, with slight modifications. One of the novel concepts established by the VCDPA is an appeals process for consumer requests.

While the CCPA had previously provided consumers the right to opt out of the sale of personal data, the VCDPA expands the categories of the right to opt-out to include targeted (or behavioral) advertising and profiling. These opt-out rights should be conspicuously placed on a business’s website, preferably on the home page. The method of opt-out should be easily accessible for all consumers and discussed in the business’s privacy policy.

The VCDPA also introduces the concept of “sensitive data.” Sensitive data encompasses multiple categories of data that are already subject to regulation by either federal or state law, such as children’s data; genetic or biometric data; precise geolocation data; and sensitive personal information such as racial or ethnic origin, sexual orientation, or citizenship or immigration status. Consumer consent must be obtained prior to processing sensitive data.

The VCDPA establishes a host of additional obligations for businesses that are controlling or processing personal data. Such obligations include:

  • Establish reasonable technical and physical data security practices
  • Disclosure of sale of personal data or processing of personal data for targeted advertising
  • Provide a privacy policy
  • Entering into contracts with data processors that contain specific provisions
  • The use of data protection assessments in certain circumstances

While the VCDPA does not have a private right of action, it is vital that a business complies with all obligations under the VCDPA to avoid hefty penalties and/or an injunction. If a business violates the VCDPA and does not cure the problem within 30 days, the Attorney General may initiate an action in the name of the Commonwealth and seek both an injunction to restrain any violations of the VCDPA and civil penalties up to $7,500 for each violation.

Businesses that control or process data must stay up to date on the latest data privacy laws and regulations as this area continues to evolve. Businesses must take steps towards compliance now, prior to the effective date of the VCDPA, to avoid a last-minute implementation of faulty data privacy practices. 

Should you have any questions or need assistance, please contact us.

Nicole E. Cloyd

Mark E. Musekamp

Nicole is admitted to practice law in Kentucky; Nicole is approved under Ohio Gov. Bar R. I § 19 to practice in Ohio while her application for admission is pending.

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.


© 2024 Keating Muething & Klekamp PLL. All Rights Reserved


Jump to Page