Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


10:00 AM
Connect Directly
E-Mail vvv

Virginia Takes Different Tack Than California With Data Privacy Law

Online businesses targeting Virginia consumers and have personal data of 100,000 consumers in the state must conform to the new statute.

Rarely do Virginia and California fall into the same legislative camp, but if the Virginia Consumer Data Protection Act is signed by its governor (as is widely expected), both states will have a sweeping data privacy act. And in the absence of a federal data privacy law, individual states continue to fill gaps centered on consumers, businesses, and the collection of data.

Who's Covered By VCDPA
Businesses that "conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data."   

Related Content:

What You Need to Know About California's New Privacy Rules

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Fighting Fileless Malware, Part 2: Countermeasures

Remember that conducting business in the age of e-commerce can mean simply operating a website that targets residents in Virginia. Thus, if you are a business with a website targeting Virginia consumers and have the personal data of at least 100,000 of those consumers, you likely fall under the arm of the statute and need to take steps to comply. This is a notable departure from California's CCPA, which centers on businesses with a $25 million revenue threshold; possess personal data of more than 50,0000 consumers; or earn more than half their annual revenue selling consumers' personal data. Virginia's legislation centers instead solely on Virginia consumers served or data sold.

A series of businesses are exempt from VCDPA, including those that fall under HIPAA or Graham-Leach-Bliley financial regulations, nonprofit organizations, institutions of higher education, and governmental entities in Virginia.

What Is Personal Data Under VCDPA?
The act defines personal data as "any information that is linked or reasonably linked to an identifiable or identifiable natural person." It does not include de-identified data or publicly available data. And, most notably, it also does not include a "natural person acting in a commercial or employment context." In other words, personal data applies almost strictly to consumer data. The act exempts data generated for business contacts or information held on employees.

VCDPA creates a second threshold for "sensitive data," which it defines as data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status.

Business-to-business communications and contacts are specifically also carved out, relying instead on consumer-driven data collection. Thus, if you are a business that operates by sales teams reaching out directly to other businesses, you may not fall under the definition of "personal data" as the  VCDPA defines it. Similarly, photographs, videos, and audio recordings are exempt from the definition of biometric data.

The VCDPA grants rights to consumers to confirm the personal data being processed by a business, to obtain a copy of that data, or to request the business delete that personal data. And, notably, the act allows that a consumer may opt out of the processing of the personal data for targeted advertising, sale, or profiling of the consumer. 

The Compliance Countdown Is On 
The act takes effect Jan. 1, 2023, a compliance deadline that also lines up with the recently passed California Consumer Rights Act. 

This will most certainly continue to drive the conversation toward a federal data privacy act. Right now, a patchwork of states are creating laws that are driving the consumer data privacy conversation. If the governor signs the VCDPA as expected, Virginia will have beaten Maryland, Minnesota, New York, and Washington to the punch in a national conversation.  

Security Professionals Must Be Particularly Mindful 
The VCDPA requires that businesses "establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data." The act goes a step further and adds these teeth: "Such data security practices shall be appropriate to the volume and nature of the personal data at issue." In other words, if a business is storing or processing high volumes of consumer information, it will be held to a higher standard. 

The VCDPA requires that businesses "limit the collection of personal data to what is adequate, relevant, and reasonably necessary." In other words, businesses must be mindful of how they collect information and the duration for which they store this data. As many security professionals know, this is in many ways mission critical to limiting the fallout zone of a future potential data incident. The less sensitive data a business stores, the less risk the organization shoulders if an incident occurs.

The VCDPA will continue to push forward the national conversation on data privacy rights and the security of consumer data. Privacy and security go hand in hand under these data privacy acts showing that many companies must not only defend against external forces attempting to access data but also improper internal collection of consumer information.  

Rather than wait for January 2023, all businesses — especially those with a national footprint — are well served to begin analyzing their data footprints now and taking steps toward compliance with Virginia and California's new enhanced privacy protections for consumers.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-25
A Insecure Temporary File vulnerability in the packaging of cyrus-sasl of openSUSE Factory allows local attackers to escalate to root. This issue affects: openSUSE Factory cyrus-sasl version 2.1.27-4.2 and prior versions.
PUBLISHED: 2021-02-25
scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685.
PUBLISHED: 2021-02-25
Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter.
PUBLISHED: 2021-02-25
An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack.
PUBLISHED: 2021-02-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.