Rarely do Virginia and California fall into the same legislative camp, but if the Virginia Consumer Data Protection Act is signed by its governor (as is widely expected), both states will have a sweeping data privacy act. And in the absence of a federal data privacy law, individual states continue to fill gaps centered on consumers, businesses, and the collection of data.
Who's Covered By VCDPA
Businesses that "conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data."
Remember that conducting business in the age of e-commerce can mean simply operating a website that targets residents in Virginia. Thus, if you are a business with a website targeting Virginia consumers and have the personal data of at least 100,000 of those consumers, you likely fall under the arm of the statute and need to take steps to comply. This is a notable departure from California's CCPA, which centers on businesses with a $25 million revenue threshold; possess personal data of more than 50,0000 consumers; or earn more than half their annual revenue selling consumers' personal data. Virginia's legislation centers instead solely on Virginia consumers served or data sold.
A series of businesses are exempt from VCDPA, including those that fall under HIPAA or Graham-Leach-Bliley financial regulations, nonprofit organizations, institutions of higher education, and governmental entities in Virginia.
What Is Personal Data Under VCDPA?
The act defines personal data as "any information that is linked or reasonably linked to an identifiable or identifiable natural person." It does not include de-identified data or publicly available data. And, most notably, it also does not include a "natural person acting in a commercial or employment context." In other words, personal data applies almost strictly to consumer data. The act exempts data generated for business contacts or information held on employees.
VCDPA creates a second threshold for "sensitive data," which it defines as data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status.
Business-to-business communications and contacts are specifically also carved out, relying instead on consumer-driven data collection. Thus, if you are a business that operates by sales teams reaching out directly to other businesses, you may not fall under the definition of "personal data" as the VCDPA defines it. Similarly, photographs, videos, and audio recordings are exempt from the definition of biometric data.
The VCDPA grants rights to consumers to confirm the personal data being processed by a business, to obtain a copy of that data, or to request the business delete that personal data. And, notably, the act allows that a consumer may opt out of the processing of the personal data for targeted advertising, sale, or profiling of the consumer.
The Compliance Countdown Is On
The act takes effect Jan. 1, 2023, a compliance deadline that also lines up with the recently passed California Consumer Rights Act.
This will most certainly continue to drive the conversation toward a federal data privacy act. Right now, a patchwork of states are creating laws that are driving the consumer data privacy conversation. If the governor signs the VCDPA as expected, Virginia will have beaten Maryland, Minnesota, New York, and Washington to the punch in a national conversation.
Security Professionals Must Be Particularly Mindful
The VCDPA requires that businesses "establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data." The act goes a step further and adds these teeth: "Such data security practices shall be appropriate to the volume and nature of the personal data at issue." In other words, if a business is storing or processing high volumes of consumer information, it will be held to a higher standard.
The VCDPA requires that businesses "limit the collection of personal data to what is adequate, relevant, and reasonably necessary." In other words, businesses must be mindful of how they collect information and the duration for which they store this data. As many security professionals know, this is in many ways mission critical to limiting the fallout zone of a future potential data incident. The less sensitive data a business stores, the less risk the organization shoulders if an incident occurs.
The VCDPA will continue to push forward the national conversation on data privacy rights and the security of consumer data. Privacy and security go hand in hand under these data privacy acts showing that many companies must not only defend against external forces attempting to access data but also improper internal collection of consumer information.
Rather than wait for January 2023, all businesses — especially those with a national footprint — are well served to begin analyzing their data footprints now and taking steps toward compliance with Virginia and California's new enhanced privacy protections for consumers.