A New Era of Privacy Law in Virginia

By: Jared Roberts

On March 2, 2021, Virginia became just the second state in the United States to enact a consumer data protection act. The Virginia Consumer Data Protection Act (VCDPA) will offer consumers in the Commonwealth greater protection over their private information. 

It is a well-known business practice for companies to collect and process the personal data of others for purposes of targeted advertising based on the data, selling the data, and profiling the data. We’ve already seen large companies begin to try and counteract this practice, the prime example being Apple, which initiated a function allowing users to prevent the application they are using from tracking them. Now, the Commonwealth will begin offering consumers even more protection over their online transactions. Whether you are one of the companies profiting on data, or the individual subject of the personal data, the VCDPA will change your obligations and rights. 

Within the VCDPA, it defines two groups transacting in personal data. The first group, controllers, means an entity or person that holds the personal data of others and determines the means and purpose of what to do with that personal data. The second group, processors, is an entity or person that then processes that data on behalf of a controller. In this context, the personal data belongs to consumers, meaning any resident of the Commonwealth involved with transacting for personal goods for their personal use and not for business use. 

Despite these seemingly broad definitions, the application of the VCDPA is narrowed according to the size and business structure of the company. The VCDPA does not apply to all companies falling within those definitions. Instead, the VCDPA only applies to those companies that control or process the personal data of at least 100,000 consumers within one calendar year, or those that control or process the personal data of at least 25,000 consumers in one calendar year and obtain at least 50% of their gross revenue from the sale of this personal data. 

Under the VCDPA, controllers who meet these standards have several outstanding obligations. These obligations include (1) limiting collection of personal data to what is adequate, relevant, and reasonably necessary; (2) refraining from processing personal data for a nondisclosed purpose; (3) implementing security procedures to protect personal data; (4) not processing personal data in discriminatory ways; (5) refraining from processing sensitive consumer data without consumer consent; (6) providing consumers with reasonable, accessible, clear, and meaningful privacy notices regarding the categories of personal data processed, the purposes for the data, how they share the data, and how a consumer may exercise their rights; (7) providing consumers with notice of the sale of their personal data; and (8) creating reliable means for consumers to exercise their rights. As a result, processors need to adhere to the instructions given by controllers. 

In addition to personal data, controllers and processors have certain duties regarding a set of data called de-identified data. This is data that lacks identifiable information, so it cannot be reasonably linked to an individual. Controllers in possession of this type of data need to take measures to ensure that it cannot be associated with any person and publicly commit to this and contractually obligate receivers of this information to do the same. 

If your data is held by one of these groups, there are several remedies at your disposal. Consumers can submit a request to controllers to (1) to confirm whether the controller is processing their data and, if so, to access it; (2) to correct inaccuracies in the consumer’s personal data; (3) to delete personal data; (4) to obtain a copy of the personal data; and (5) to opt-out of the processing of the personal data for the purpose of targeted advertising, sale of the data, and profiling of the data. 

Once a consumer acts, it avails additional requirements onto the controller. Controllers need to respond without undue delay within 45 days. If the controller declines the request, they must provide justification. Any information the controller provides must be free of charge to the consumer twice annually, and it is the controller’s burden to show excessive cost. Lastly, the controller needs to provide an appeal avenue for consumers who have their requests denied. 

All of this acts to reshape privacy law in Virginia. While this new law is exciting, it is important to note that it will not go into effect until January 1, 2023. Whether you are considered a consumer, controller, or processor, it is important that you know your rights and duties under this new law. Having a skilled attorney will help provide you with peace of mind that your rights are accounted for, or that your obligations are satisfied as to avoid liability.