Virginia is Set to Become the 2nd U.S. State to Pass a Data Privacy Regulation

The Virginia Consumer Data Protection Act (VCDPA) has passed both the House and Senate and awaits reconciliation which is believed to be a mere formality. Governor Ralph Northam supports the measure if reconciliation doesn’t introduce too many changes. The Virginia legislative session is over March 1. The Governor then has 30 days to sign into law or veto the bill. If passed, this comprehensive privacy bill would take effect on January 1, 2023. The bill appears to be a hybrid of CCPA and GDPR with a few unique additions borrowed from the Washington State privacy regulation which has become a “template” for many other states and itself has a very good chance of passing in the next few months. The VCDPA will be enforced by the Attorney General and does not include a private right of action. The following is a more in-depth comparison:

Source: Virginia is for Lovers . . . of Data Privacy | V&E Technology Transactions Update | Insights | Vinson & Elkins LLP (velaw.com)

The VCDPA applies to:

• Businesses that control or process data for at least 100,000 Virginians OR
• Commercial entities that derive at least 50 percent of their revenues from the sale and processing of consumer data of at least 25,000 customers
• If the business is passing data outside the state, the VCDPA regulations will be passed downstream
• Exemptions: HIPAA covered entities and business associates, nonprofits, higher education institutions and financial institutions subject to Title V of the Gramm Leach Bliley Act (GLBA)

The VCDPA defines a consumer as a natural person who is a resident of the Commonwealth acting in an individual or household context (different than consumer defined by the CCPA/CPRA). A natural person acting in a commercial or employment context is exempt.

Start preparing now for the following few highlights of the regulation:

• New category of information called sensitive information which includes precise geolocation data, racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status and identifying genetic or biometric data. Opt-in must be used for sensitive data and data of children.
• Process for consumers to appeal if a request is denied. The regulation doesn’t specify appeal process details, however.
• Consumer right to have inaccurate personal data corrected.
• Personal data would not include de-identified data. However, the company must make a public comment indicating de-identified data won’t be used in a manner that attempts to re-identify it. De-identified data is defined as data that cannot reasonably be inked to an identified natural person.
• Requires privacy impact assessments (PIA) must be done when private data is processed.