There’s been much ado about preparation for privacy in 2023 with a heavy emphasis on CPRA as it transitions from the previously established CCPA, but organizations are up against the effective date for the Virginia Consumer Data Privacy Act, as well. Although both laws provide detailed definitions of “personal information,” grant customers control over their personal information, and demand that covered businesses disclose their practices in a transparent manner, there are important distinctions of which to be aware.

Here is an outline of key compliance elements in the Virginia Consumer Data Privacy Act that can inform your preparation efforts as the effective date inches closer.

Effective Date: January 1, 2023

VCDPA Compliance Outline:

• In VCDPA, covered entities are called controllers to better align with GDPR, whereas CPRA-covered entities are called businesses, but the underlying applicability is similar albeit without the revenue qualifier.
• VCDPA Scope: Applicable to those who operate businesses in Virginia or create goods or services marketed to Virginians and that:
  • Control or process the personal data of at least 100,000 consumers annually.
  • Control or process the personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
• Both laws have broad definitions of personal information, with VCDPA lacking specific examples and leaving it more up to interpretation, offering only any that personal data is information that is linked or reasonably associated with an identified or identifiable natural person. Sensitive information is better defined and a more important consideration.
• VCDPA requires controllers to seek opt-in consent from consumers before processing personal information and includes a carve-out for the personal data of children. This is an important distinction in Virginia.
• Sensitive personal data is outlined as:
  • Personal data revealing:
    • Racial or ethnic origin
    • Religious beliefs
    • Mental or physical health diagnosis
    • Sexual orientation
    • Citizenship or immigration status
  • Genetic or biometric data, if processed for the purpose of uniquely identifying a natural person
  • Children’s personal data
  • Precise geolocation data
• Consent is defined as “…a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement…” consistent with GDPR’s unambiguous definition of consent.
• Data Protection Assessments are required to process sensitive personal information to identify and mitigate risks. While less restrictive than Colorado, this is often an important new obligation for businesses to engrain in normal operating practice.
• Controller Obligations:
  • Data minimization
  • Purpose limitation
  • Reasonable data security
  • Sensitive data
  • Privacy notices
  • Third-Party disclosures or targeted advertising
  • No discrimination
  • No contractual limitations
• VCDPA Consumer Rights:
  • Right to Know whether a controller is processing the consumer’s personal data
  • Right to Access personal data processed by a controller
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt-Out of targeted advertising, the sale of personal data or profiling
  • Right to Appeal. This is probably the most important element of the Virginia class of privacy laws, as it is an extension unique to the entire world of privacy. “A controller is required to establish a process for a consumer to appeal its refusal to act on a request, and if the appeal is denied, an online mechanism or another method for the consumer to contact the attorney general to submit a complaint.” In addition, when taken in conjunction with other Virginia laws and precedence, it is arguable that the appeal process must differ from the normal workflow of requests, especially for the individuals involved. A best practice may be to have appeals that go to an outside counsel or at least to a different, more senior person within the organization.
• Consumers are given two free requests per year with 45 days for the controller’s initial response and 60 days to respond to an appeal.
• Controllers must provide “reasonably accessible, clear, and meaningful” disclosures with transparent collection practices, data uses, and how that data is shared, as well as the rights of consumers and how to exercise them.
• Enforcement is provided by the Virginia Attorney General with fines of up to $7,500 per violation but does not include a private right of action.

Beyond the VCDPA privacy requirements listed above, there are a few carve-outs, limitations, and important definitions that are important to note.

• Exemptions:
  • CDPA does not apply to state government entities, nonprofits, institutions of higher education, financial institutions, or data subject to Title V of the Gramm-Leach-Bliley Act, covered entities or business associates subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic Clinical Health Act.
  • Section 59.1-572(C). There are 14 categories of exempt information and data, including protected health information under HIPAA and other health-related information, data regulated by the Family Educational Rights and Privacy Act, the Fair Credit Reporting Act and others.
• Limitations:
  • Section 59.1-578. CDPA does not restrict a controller or processor from complying with laws or investigations, cooperating with law enforcement, or exercising or defending legal claims.
  • CDPA does not restrict a controller or processor from providing a product or service specifically requested by a consumer, taking steps to protect an interest that is essential for the life or physical safety of a consumer or another natural person, protecting again security incidents, engaging in peer-reviewed scientific research, etcetera.

Important Definitions:

• Consumer means a natural person who is a Virginia resident acting in an individual or household context. Acting in a commercial or employee context is specifically excluded from the definition.
• Controller means the natural or legal person that determines the purpose and means of processing personal data.
• Personal data means any information that is linked or reasonably linked to an identified or identifiable natural person. It does not include deidentified data or publicly available information (a separately defined term).
• Sensitive data means a category of personal data that includes data revealing racial or ethnic origin, religious beliefs, physical or mental health diagnosis, sexual orientation, or citizen or immigrant status, as well as processing of genetic or biometric data for identification, precise geolocation data, and personal data collected from a known child.
• Sale of personal data means the exchange of personal data for monetary consideration by the controller to a third party. It does not include disclosure (1) to a processor processing data on behalf of the controller; (2) to a third party for purposes of a product or service requested by the consumer; (3) to a controller’s affiliate; (4) of information a consumer intentionally made available to the general public via mass media and did not restrict to a specific audience; and (5) to a third party as an asset that is part of a business transaction where the third party assumes control of the controller’s assets.

If you’d like to learn more about how Truyo can help you achieve compliance with VCDPA, CPRA, or any other upcoming privacy laws please reach out to hello@truyo.com to schedule a privacy consultation or demo of the complete Truyo privacy solution.