Virginia’s Consumer Data Privacy Law Takes Effect Next Month
As 2022 comes to a close, most of the attention in the consumer data privacy space has centered around the California Privacy Rights Act taking effect on January 1, 2023, but companies should not forget that the Virginia Consumer Data Protection Act (“VCDPA”) will also go into effect on January 1, 2023. As a result, businesses need to ensure that their policies and practices are adjusted, as necessary, to address these increased privacy obligations.
The VCDPA will apply to people and businesses that “conduct business in the Commonwealth” or “produce products or services that are targeted to” Virginia residents and (a) control or process personal data of at least 100,000 Virginia residents during a calendar year, or (b) control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data. The VCDPA contains a number of exemptions, including that it will not apply to any Virginia political subdivisions, financial institutions subject to the Gramm-Leach-Bliley Act, non-profit organizations, higher education institutions, or entities otherwise covered by HIPAA.
The VCDPA defines “personal data” broadly to include any information that is linked to or could reasonably be linked to an individual (de-identified or publicly available information is excluded from the definition of personal data). Covered businesses must obtain consent before processing or using consumer personal data. Additionally, consumers must be informed of the purpose for which their personal data is being collected, and covered businesses will be prohibited from using personal data for any undisclosed purpose.
The Virginia Attorney General will have exclusive enforcement authority. The Attorney General’s office would need to provide 30 days’ notice of any violation and allow an opportunity to cure. For uncured violations, the Attorney General would be able to file an action seeking $7,500 per violation. Notably, the VCDPA does not provide a private right of action.