Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


10:00 AM
Connect Directly
E-Mail vvv

Virginia Takes Different Tack Than California With Data Privacy Law

Online businesses targeting Virginia consumers and have personal data of 100,000 consumers in the state must conform to the new statute.

Rarely do Virginia and California fall into the same legislative camp, but if the Virginia Consumer Data Protection Act is signed by its governor (as is widely expected), both states will have a sweeping data privacy act. And in the absence of a federal data privacy law, individual states continue to fill gaps centered on consumers, businesses, and the collection of data.

Who's Covered By VCDPA
Businesses that "conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data."   

Related Content:

What You Need to Know About California's New Privacy Rules

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Fighting Fileless Malware, Part 2: Countermeasures

Remember that conducting business in the age of e-commerce can mean simply operating a website that targets residents in Virginia. Thus, if you are a business with a website targeting Virginia consumers and have the personal data of at least 100,000 of those consumers, you likely fall under the arm of the statute and need to take steps to comply. This is a notable departure from California's CCPA, which centers on businesses with a $25 million revenue threshold; possess personal data of more than 50,0000 consumers; or earn more than half their annual revenue selling consumers' personal data. Virginia's legislation centers instead solely on Virginia consumers served or data sold.

A series of businesses are exempt from VCDPA, including those that fall under HIPAA or Graham-Leach-Bliley financial regulations, nonprofit organizations, institutions of higher education, and governmental entities in Virginia.

What Is Personal Data Under VCDPA?
The act defines personal data as "any information that is linked or reasonably linked to an identifiable or identifiable natural person." It does not include de-identified data or publicly available data. And, most notably, it also does not include a "natural person acting in a commercial or employment context." In other words, personal data applies almost strictly to consumer data. The act exempts data generated for business contacts or information held on employees.

VCDPA creates a second threshold for "sensitive data," which it defines as data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status.

Business-to-business communications and contacts are specifically also carved out, relying instead on consumer-driven data collection. Thus, if you are a business that operates by sales teams reaching out directly to other businesses, you may not fall under the definition of "personal data" as the  VCDPA defines it. Similarly, photographs, videos, and audio recordings are exempt from the definition of biometric data.

The VCDPA grants rights to consumers to confirm the personal data being processed by a business, to obtain a copy of that data, or to request the business delete that personal data. And, notably, the act allows that a consumer may opt out of the processing of the personal data for targeted advertising, sale, or profiling of the consumer. 

The Compliance Countdown Is On 
The act takes effect Jan. 1, 2023, a compliance deadline that also lines up with the recently passed California Consumer Rights Act. 

This will most certainly continue to drive the conversation toward a federal data privacy act. Right now, a patchwork of states are creating laws that are driving the consumer data privacy conversation. If the governor signs the VCDPA as expected, Virginia will have beaten Maryland, Minnesota, New York, and Washington to the punch in a national conversation.  

Security Professionals Must Be Particularly Mindful 
The VCDPA requires that businesses "establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data." The act goes a step further and adds these teeth: "Such data security practices shall be appropriate to the volume and nature of the personal data at issue." In other words, if a business is storing or processing high volumes of consumer information, it will be held to a higher standard. 

The VCDPA requires that businesses "limit the collection of personal data to what is adequate, relevant, and reasonably necessary." In other words, businesses must be mindful of how they collect information and the duration for which they store this data. As many security professionals know, this is in many ways mission critical to limiting the fallout zone of a future potential data incident. The less sensitive data a business stores, the less risk the organization shoulders if an incident occurs.

The VCDPA will continue to push forward the national conversation on data privacy rights and the security of consumer data. Privacy and security go hand in hand under these data privacy acts showing that many companies must not only defend against external forces attempting to access data but also improper internal collection of consumer information.  

Rather than wait for January 2023, all businesses — especially those with a national footprint — are well served to begin analyzing their data footprints now and taking steps toward compliance with Virginia and California's new enhanced privacy protections for consumers.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/3/2021 | 9:50:22 PM
Pending Review
This comment is waiting for review by our moderators.
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the v...
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during m...
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFI...
PUBLISHED: 2021-03-05
An issue was discovered in OSSEC 3.6.0. An uncontrolled recursion vulnerability in os_xml.c occurs when a large number of opening and closing XML tags is used. Because recursion is used in _ReadElem without restriction, an attacker can trigger a segmentation fault once unmapped memory is reached.
PUBLISHED: 2021-03-05
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.