What is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act (VCDPA) is a data protection law that came into effect in the Commonwealth of Virginia on January 1, 2023. By passing this legislation, Virginia became the second state (after California) with a comprehensive data protection law in place.

The VCDPA isn’t the first or only personal data protection law on the commonwealth’s books. It is, though, a wider-reaching and more comprehensive piece of legislation than the three major preceding privacy and data protection laws in the state.

This is the first such legislation in the commonwealth that’s comparable to California’s Consumer Privacy Act (CCPA). The VCDPA expands on previous interpretations of “personal information” and includes a separate “sensitive data” category. Data protection assessments also add a new dimension to the law.

How does the Virginia Consumer Data Protection Act compare to the California Consumer Privacy Act?

The VCDPA is considerably shorter than the CCPA. This certainly seems like a benefit, with a less sprawling legislation that’s quicker and easier to analyze and interpret. Compliance is also simplified, especially for smaller businesses that lack internal legal departments.

The danger with such succinct and possibly even pared-down legislation is that it can end up leaving a lot of key compliance requirements undefined and unclear. The VCDPA seemingly avoids this, for example defining what a “consumer” is from the outset, something the CCPA achieved only after a series of statutory amendments.

Unlike the CCPA, the VCDPA also manages to avoid relying on thresholds based only on annual gross revenue, making it easier for affected entities to understand their compliance obligations. Of course, the authors of the VCDPA had the benefit of learning from their Californian counterparts.

It’s worth noting that the commonwealth’s CDPA has minimal documentation overheads, except for keeping records on data protection assessments. This means that if an entity is already compliant with the CCPA or GDPR, it’s likely that its procedures for handling sensitive personal data are already VCDPA-compliant.

What rights does the Virginia Consumer Data Protection Act guarantee?

The Virginia CDPA gives commonwealth residents a set of data privacy protections that are very similar to those in the CCPA, which is often considered the predecessor and model for later state legislatures. The VCDPA gives Virginia residents the following consumer rights:

• The right to confirm whether a given controller is processing their personal data.
• The right to correct inaccuracies in their personal data as it is collected by the controller.
• The right to have personal data deleted.
• The right to see what personal data the controller has collected.
• The right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of that personal data, or any future profiling.

The VCDPA makes special provisions for sensitive data. Sensitive data is a subset of personal data under the VCDPA, but entities processing sensitive data are subject to some extra conditions. Sensitive data includes genetic or biometric data, sexual orientation, immigration status, and religious beliefs among other personal information.

There are also exemptions to the Virginia Consumer Data Protection Act. These include such personal data as that which is included in local government records and public records more generally.

Updated on: June 28, 2023