First in our 2023 data privacy laws series is the Virginia Consumer Data Protection Act (VCDPA). The VCDPA effective date was January 1st, 2023, with enforcement beginning the same day. VCDPA, sometimes referred to as just CDPA, is somewhat of a mixture of the EU’s GDPR (General Data Protection Regulation) and California’s CPRA (California Consumer Privacy Rights Act). While it shares similarities with each, it is sufficiently dissimilar as it likely will require its own compliance considerations. Much like CPRA, VCDPA will apply to any business that processes the data of over 100,000 of the state’s residents or processes the personal data of over 25,000 and derives 50% of their gross revenue from the sale of personal data.
Much like GDPR and CPRA, VCDPA introduces numerous consumer data privacy rights. These rights include the right to access personal data, the right to know personal data is being processed, the right to data portability, the right to deletion, the right to rectification, and the right to opt out of targeted advertising or the sale of personal data.
One of the most substantial differences between CPRA and VCDPA is how VCDPA treats the processing of sensitive data. While CPRA allows consumers to opt out of processing their sensitive data, VCDPA requires a data process to get opt-in consent to process a consumer’s sensitive data. Additionally, VCDPA defines sensitive data as any data that includes demographic information, geolocation data, or data from a known child. Another difference is in how VCDPA treats employee and business contact data. VCDPA does not classify employees as consumers, nor does it consider personal data processed in a business-to-business context in scope. VCDPA also has blanket exemptions for government agencies, businesses subject to HIPAA, institutions of higher education, and Gramm-Leach-Bliley subject financial institutions, while CPRA does not.
Outside of CPRA, other state laws going into effect in 2023 are modeled after VCDPA, and thus understanding VCDPA and what goes into a compliance strategy for it will go a long way in reaching compliance with the other laws. When building a compliance strategy for VCDPA, you should first map what data you store or process. Additionally, it would be helpful to conduct a readiness assessment to identify where the gaps in compliance are. Once you’ve located the gaps, you can prepare a remediation plan and develop controls to bring the business into compliance before sanctions incur.