Yesterday, Virginia passed the Virginia Consumer Data Protection Act (VCDPA), making it the second state (behind California, with its California Consumer Protection Act (CCPA) to enact a general consumer privacy law.  The VCDPA will take effect on January 1, 2023, which is also the same day the California Privacy Rights Act (CPRA), an act to strengthen the CCPA, will go into effect.

The VCDPA applies to “persons” that conduct business in Virginia (or produce products and services that are targeted to Virginia residents) that “control or process” the personal data (1) of at least 100,000 Virginia residents or (2) for an entity that derives over half of its gross revenue from the sale of personal data, of at least 25,000 Virginia residents.  Nonprofit organizations and institutions of higher education are exempt.

The VCDPA defines “personal data” broadly as any information that is “linked or reasonably linked to an identified or identifiable natural person.”  “Personal data” does not include publicly available information, or de-identified data (which by definition cannot be reasonably linked), although de-identified data would be subject to certain safeguards to limit the risk of re-identification.

The VCDPA stands out in that it is the first of its kind in the U.S. to require controllers to seek opt-in “consent” from consumers with respect to the processing of sensitive data, including health information, race, ethnicity, and precise geolocation data, and to mandate formal data protection assessments (similar to the European Union’s General Data Protection Regulation (GDPR)).  The data protection assessment obligation requires controllers to conduct data protection assessments that weigh the overall benefits of the processing activity against the potential risks of the consumer (as mitigated by applicable safeguards) before engaging in processing activities that involve sensitive data, targeted advertising, the sale of personal data, processing for purposes of profiling, and any other activities that “present a heightened risk of harm to consumers.”  Further, the attorney general may compel production of these assessments pursuant to an investigative civil demand, without court approval, and may evaluate the data protection assessment for compliance with VCDPA.  The assessments are considered confidential and exempt from Virginia’s Freedom of Information Act (FOIA), and any attorney-client privilege or work product protection with respect to an assessment or its contents cannot be considered waived.

The rest of the VCDPA provisions are more in-line with other consumer privacy laws.

The VCDPA provides consumers with data subject rights, including a right to confirm whether a controller is processing personal data, to access such personal data, to correct inaccuracies in the personal data, to delete personal data, to obtain a copy of the personal data in a portable and usable format, and to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the customer.

The VCDPA requires data controllers to, inter alia, limit collection of personal data to what is adequate, relevant, and reasonably necessary; to not process personal data outside of the disclosures of what/how personal data is being processed; and to establish, implement, and maintain reasonable administrative, technical, and physical data security practices (reasonableness is tied to the volume and nature of personal data at issue).

The law also requires controllers to provide consumers with a privacy notice including the categories of personal data processed by the controller; the purpose for processing personal data; how consumers may exercise their data subject rights; the categories of personal data the controller shares with third parties (if any); the categories of third parties, if any, with whom the controller shares personal data; if the controller sells personal data or processes personal data for targeted advertising, the controller shall disclose such processing as well as the manner in which a consumer may opt-out of such processing; and information on how consumers may submit requests to exercise their data subject rights (which  must take into account “the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request”).

The VCDPA does not provide for a private consumer right of action (unlike CCPA, which provides for a private right of action for violations of the duty to implement and maintain reasonable security procedures).  Instead, the state’s attorney general has exclusive authority to enforce the law.  Prior to initiating any action, the attorney general must give the controller or processor 30 days’ written notice, and if the controller or processor cures the noticed violation(s) and provides an express written statement to the attorney general stating so and that no further violations shall occur, then no action for statutory damages will be initiated.  The VCDPA provides for statutory damages of up to $7,500 for “each violation,” as well as injunctions and reasonable expenses for the attorney general investigating and preparing the case, including attorney fees.

All penalties collected for violations of the VCDPA will be paid into the newly-created “Consumer Privacy Fund,” which will be used “to support the work of the Office of the Attorney General to enforce the provisions of this chapter.”