Virginia Governor Signs VCDPA Amendment Bills into Law 

Virginia Governor Signs VCDPA Amendment Bills into Law 

Virginia Governor Signs VCDPA Amendment Bills into Law 

The Virginia Consumer Data Protection Act (VCDPA) was established to address consumer privacy issues and concerns, including the use and storage of customer data by businesses. Included in the law are a list of key rights of  a Virginia consumer including the right to opt out of one’s personal data being sold or utilized for custom advertisements.

               Virginia Amends New Privacy Law Ahead of VCDPA Effective Date

In April of 2022, the governor of Virginia signed into law three important amendments to the VCDPA. These changes made to the Virginia Consumer Data Protection Act were enacted before its effective date and are in effect on January 1, 2023.

What are the amendments?

First, the VCDPA provides several protections for Virginia consumers:

  • The right to know, access, and confirm data on yourself. In other words, if you want to know what data a company keeps on you, they are required to make this information available to you.
  • The right to have your personal data deleted or destroyed. If you do not want a company to have or use your data, you can ask them to get rid of it.
  • The right to fix any inaccuracies in your own data.
  • The right to have mobile or portable access to any data of your’s held by a business. If you want to view your data, you should not have to go visit the company headquarters or wait for them to mail you a paper copy, but you should instead be able to log into your account and view your data. 
  • The right to opt out of having your data used for targeted advertising. This means that if you do not want to be “stalked” around the internet by ads for products you viewed briefly, you can opt out.
  • The right to opt out of your data being sold to other companies. You might not mind giving your data to one store that you do business with, but that does not mean you want a hundred other companies buying this data and trying to contact you.
  • The right to opt out of consumer profiling due to your data.
  • The right to protection from discrimination based on exercising any of your other rights under the VCDPA. Companies cannot refuse to do business with you simply because you asked them not to sell your data, for example.

Now that we understand the general provisions of the law, we will take at look at the amendments:

Changes to How Data Deletion Requests Are Handled

As noted above, after the Virginia privacy law effective date, you will have the legal right to ask a company to delete your data. The first amendment to the VCDPA deals with how companies can go about processing such a request. It states that “controllers of personal data from a source other than the consumer” have two options:

  • They can record the request for deletion and save the minimum amount of data needed to prove the request was received and granted. This saved data cannot be used for any other purpose.
  • They can extract the data from any use other than those exempted by the VCDPA. WHAT?

The VCDPA includes a lengthy list of exempted uses of data. One example is most healthcare-related information, which may be shared for reasons of providing healthcare or medical research.

The second VCDPA amendment is about exceptions or exemptions, notably organizations that are not subject to the law. In general, the Virginia data privacy laws apply to any company that does business or markets its products or services to Virginia residents, so long as it either:

  • Controls or processes the personal data of 100,000 or more Virginians
  • Controls or processes the personal data of at least 25,000 Virginians and also receives more than 50 percent of its gross revenue from selling personal data

However, Beyond these limitations, there are many types of organizations that are exempt, including those that process health information covered under HIPAA, certain organizations governed by other legislation, higher education institutions, and nonprofits. The second VCDPA amendment expands the definition of “nonprofit” to include political organizations and some insurers exempt from taxation under Internal Revenue Code § 501(c)(4).  Previously, “nonprofit” in the context of the VCDPA only referred to Virginia Nonstock Corporations, organizations that had exemption from taxation under Internal Revenue Code §§ 501(c)(3), (6), or (12), and subsidiaries or affiliates of public utility service providers.

The third VCDPA amendment is related to funding. It repeals the Consumer Privacy Fund that the law initially created to hold penalties, expenses, and attorneys’ fees collected under the VCDPA from companies in breach of the law. The amendment will send those funds to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. 

Can You File a Lawsuit If Your Rights Are Violated Under the VCDPA?

No. This legislation does not provide a private right of action, or the opportunity to sue in civil court for damages incurred based on statutory laws (in this case, the VCDPA). Depending on how your data was used, you may have cause to pursue a lawsuit for other reasons. We recommend speaking with a Virginia civil attorney if you feel your data was misused in some way. Your lawyer can advise you on any options available.

What Should You Do If You Own or Run a Business That Falls Under VCDPA Jurisdiction?

First, remember that your business does not have to be physically located in Virginia to be subject to this legislation. If you conduct business or sell your wares to Virginia residents and meet the other criteria listed above, you will need to ensure that your business is compliant with the VCDPA. The best way to do this is to engage an experienced Virginia business attorney who can review your operations and make recommendations on what changes you need to make to be in compliance. It is also important to know that if you are found to be in violation of Virginia data privacy laws, you could be subject to a $7,500 fine for each violation.

In general terms, your company will need to work on purpose limitation and data minimization. That means that you will need policies that ensure you only hold data for the specific length of time you need it for a specific purpose. 

You will also be required to uphold “reasonable” data security practices to safeguard your clients’ confidentiality, and the reliability and accessibility of their data. Many people are unsure what “reasonable” means, and this is not entirely clear yet, but following a generally accepted industry standard is probably a good start. 

Finally, your business should create a solid plan or policy for responding promptly to customer requests under the new privacy laws. For example, you will need a streamlined method for handling requests to delete a customer’s data, fix errors in their data, prevent the sale of that data, stop using the data for personalized advertisements, etc. Your business lawyer can give you more specific advice about complying with the VCDPA.

If you have questions or concerns about data privacy or your rights under the VCDPA, please contact Lugar Law for a free consultation.