Virginians Can Protect Personal Data under New Virginia Consumer Data Protection Act

It is no secret that businesses have been collecting, buying, and selling personal information about consumers for years.  It is a safe bet that every time you interact with a company it is recording the information it receives and building a profile on you based on demographic data, such as your shirt size or whether you own a pet, and your personal preferences for consumer goods.

Companies use this information to better market their goods and services to you, but they may also buy and sell your information on the open market.  Until recently, much of this activity has been unregulated, and companies have been able to collect and share your personal information with little governmental oversite and without your knowledge or permission.

In 2023 that will no longer be the case in Virginia.  California became the first state to enact a comprehensive privacy law last year, which it modeled on privacy regulations from the European Union.  On March 2, 2021, Virginia joined California, becoming the second state to pass such a law when it enacted the Virginia Consumer Data Protection Act (“VCDPA”).

The new law goes into effect on January 1, 2023 and applies to all entities “who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and who, during a calendar year, either:

1. control or process personal data of at least 100,000 Virginia residents, or
2. derive over 50% of gross revenue from the sale of personal data (though the statute is unclear if the revenue threshold applies to Virginia residents only) and control or process personal data of at least 25,000 Virginia residents.

Once the VCDPA goes into effect, you will be able to demand that these companies provide you with a copy of all your personal data, which is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”  It does not, however, include publicly available information or information that, standing alone, does not identify the consumer.   Further, it gives you the power to edit and delete your personal data and, if you choose, to opt out of allowing the covered businesses to use your personal data for marketing or other purposes.

The statute also requires the covered businesses to provide consumers with a method of exercising their rights and to provide each consumer with up to two cost-free responses a year.  Businesses can charge a reasonable fee for handling additional requests.  Once a request is received, the business has 45 days to respond, although it can extend the response time by an additional 45 days when “reasonably necessary.”

On the other side of the coin, businesses must obtain consent before processing “sensitive data,” which is defined to include “[p]ersonal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status…[or that is] collected from a known child.”

The VCDPA does not cover nonprofit organizations, higher education institutions, or state and local government institutions.  The law also does not cover information subject to the Fair Credit Reporting Act (FCRA) and the Children's Online Privacy Protection Act (COPPA) or personal data processed in the context of employment.

Unlike California’s privacy law, which allows individuals to bring suit on their own behalf, the VCDPA only provides for enforcement by the Attorney General.  Under the statute, once the Attorney General provides notice of a violations, the offending business has thirty days to correct the problem and confirm in writing to the Attorney General that it will not violate the law again.  If the violator fails to timely cure the problem or continues to violate the law, the Attorney General can seek damages of up to $7,500 per violation.

Several other states are currently considering their own consumer privacy laws, which has led to a growing concern that businesses will be forced to navigate a patchwork of requirements in different states.  This may place pressure on Congress to pass its own data protection legislation that would set national standards and requirements.  Until then, businesses will have over a year and a half to reassesses their collection of personal information and prepare for compliance with VCDPA.

Jeff Wilson is a Pender & Coward shareholder focusing his practice on employment law matters, including counseling and business litigation.