Data privacy regulation will be extended within the Commonwealth of Virginia with the signing of the Virginia Consumer Data Protection Act (VCDPA), which becomes effective January 1, 2023. More states are introducing “GDPR-like” data privacy laws. The General Data Protection Regulation (GDPR) is considered the toughest privacy and security law in the world. Drafted and passed by the European Union (EU) in 2018, the GDPR imposes obligations onto organizations that target or collect data related to people in the EU; failure to abide by it can expose businesses to harsh monetary fines and penalties.
Along with Virginia’s new law, several other states have signed data privacy legislation to protect its citizens: California (California Consumer Privacy Act (CCPA)) and California Privacy Rights Act (CPRA; to be enforced in 2023), Nevada (Online Privacy Law) and Maine (Act to Protect the Privacy of Online Customer Information). Virginia’s new privacy legislation is a serious overhaul to its former privacy law, but it certainly is not as expansive as the GDPR, CCPA, or CPRA.
Below are several important aspects of the VCDPA:
- The law applies to persons that conduct business in Virginia or produce products or services that are targeted to residents of the state and that (1) during a calendar year, control or process personal data of at least 100,000 consumers or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
- Personal Data is defined as “any information that is linked or reasonably associated to an identified or identifiable natural person.” The law does not include de-identified data or publicly available information.
- The law exempts anybody, authority, board, bureau, commission, district, or agency of Virginia or of any political subdivision of the state; financial institutions or data subject to other federal privacy laws (i.e., GLBA, HIPAA, HITECH).
- Similar to GDPR and CCPA, the law provides the following rights to consumers:
- Right to know whether a business is processing a person’s personal data and to access such personal data
- To correct inaccuracies in such personal data
- To delete such personal data
- To obtain a copy of such personal data that was previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance
- To opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
- Data Controllers, those who determine the purpose and means of processing personal data, must respond to consumers within 45 days of receipt of the request. Extensions are permitted if notice and reason for the extension are given to the consumer.
- A Data Processor is defined as a natural or legal entity that processes personal data on behalf of a controller.
- The law contains monetary civil penalties for violations. The state’s attorney general (AG) has exclusive authority to enforce the VCDPA in the name of state or on behalf of residents of the state. The AG can issue a civil investigative demand to any Data Controller or Data Processor believed to be engaged in, or about to engage in, any violation of the VCDPA.
- Any Data Controller or Data Processor that violates the VCDPA is subject to an injunction and may be liable for a civil penalty of not more than $7,500 for each violation. The AG may also recover investigation and preparation expenses including attorney’s fees.
This new Virginia law follows suit with some differences, and notably with more exemptions both from a covered entity standpoint as well as what data is covered compared to other existing state legislation. However, like other states’ privacy laws, a business does not have to be present in Virginia to be regulated by the law. Any business that meets the criteria is subject to the regulation and potential liability and civil penalties. This essentially means every business should review this law and its applicability.
Federally, the United States still has not enacted uniform general data privacy laws, but Leech Tishman’s Data Privacy & Cybersecurity Practice Group believes that legislation is around the corner, especially in light of the new political changes in Washington and given there appears bipartisan support for sweeping federal data privacy laws. Further, as more states enact data privacy laws such will continue to create a patchwork of different laws and concern and confusion for businesses to follow. This has created more incentive for the federal government to act.
Leech Tishman’s Data Privacy & Cybersecurity Practice Group stands ready to assist businesses across the country that may be subject to the various states’ data privacy laws including the newly enacted data privacy law in the Commonwealth of Virginia.
James K. Paulick is Counsel with Leech Tishman and Co-Chair of the Data Privacy & Cybersecurity Group. He is also a member of the Litigation Practice Group and the White Collar Criminal Defense & Government Investigations Group. Jim is based in the Pittsburgh office and can be reached at 412.261.1600 or firstname.lastname@example.org.
Chris Gonzalez is a Partner at Leech Tishman, Co-Chair of the Data Privacy & Cybersecurity Group and Co-Chair of the Cannabis Group. He is also a member of the firm’s Corporate, Employment & Labor, Intellectual Property, Litigation, International and Immigration Practice Groups. Chris is based in the Pasadena, CA office and can be reached at 818.550.8300 or email@example.com.
Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman
Leech Tishman’s Twitter: https://twitter.com/leechtishman
Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman
Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in alternative dispute resolution, aviation & aerospace, bankruptcy & creditors’ rights, construction, corporate, employee benefits, employment, energy, environmental, estates & trusts, family law, government relations, immigration, insurance coverage & corporate risk mitigation, intellectual property, international legal matters, litigation, real estate, and taxation. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in Chicago, Los Angeles, New York, Philadelphia, Sarasota and Wilmington, DE.