FAQ: What is the Virginia Consumer Data Protection Act (VCDPA)?

Data privacy continues to be an ever more relevant topic of our times.

The Virginia Consumer Data Protection Act (Virginia's CDPA or VCDPA) was recently enacted by both chambers of the Virginia legislature, imposing new restrictions on the collection, disclosure, and use of personally identifiable information (PII) of Virginia residents by non-exempt corporations.

VCDPA Questions Answered in this FAQ:

What restrictions are in the new VCDPA?
  • That publishers honor specific, verifiable requests from Virginia consumers to disclose, correct, or erase personal information;
  • That publishers permit Virginia consumers to opt out of the processing of personal data for specific purposes (and, further, that sensitive data not be processed without an unambiguous opt-in);
  • That firms conduct protection assessments of their data processing actions (as well as other processing actions of personal data “that present an elevated risk of harm to consumers”);
  • That publishers maintain and publish appropriate privacy notices and disclosures (and abide by them); and
  • That publishers and their data processors include specific legal clauses in their usage agreements.

In order to ensure the safety of customers’ personal information in light of the new VCDPA, data processors must now adhere to a few extra regulations, mostly related to data protection assessments, consumer requests, and security breach notifications.

Readers can examine the full text of the VCDPA here.

Some observers have drawn parallels between the California Consumer Privacy Act (the CCPA, which came into effect in 2020) — the first significant data-privacy measure in the United States — and the recent VCDPA approved more than two and a half years later. (Note the CCPA was itself amended and expanded by the California Privacy Rights Act [CPRA] on January 1, 2023.)

Others, however, argue that the EU’s far more robust General Data Protection Regulation (GDPR) is more analogous to the VCDPA.

But the VCDPA is also distinctly its own set of measures. While the VCDPA does place certain restrictions on business-to-consumer (B2C) targeting, there also happen to be a number of ways to get around these restrictions.

Also, while some of these restrictions might have an effect on firms’ B2C marketing efforts, it appears that targeting a Virginian within a business-to-business (B2B) or business-to-government (B2G) context is still fair game, so long as doing so is relevant to the target’s job function and doesn’t violate any laws. But if you want to reach a Virginian while he or she is relaxing with his or her family (and phone) on the sofa after a long day, you might want to dial down your targeted advertising.

What Consumer Protections are Provided by the VCDPA?

The VCDPA grants consumers specific rights regarding their private data. These protections under the Act include:

  1. The right to see, access, and confirm personal data
  2. The right to delete personal data
  3. The right to correct inaccuracies in personal data
  4. The right to data portability (i.e., simplified, portable access to all pieces of personal data held by a company)
  5. The right to opt out of the processing of any personal data for targeted advertising purposes
  6. The right to opt out of the sale of personal data
  7. The right to opt out of profiling based on personal data
  8. The right to not be discriminated against for exercising any of the foregoing rights

Under the VCDPA, in order to be in compliance, companies must provide consumers with information about their rights as well as a mechanism for exercising those rights. The Act also codifies various personal data obligations for businesses. When it comes to collecting and using sensitive personal data like precise geolocation data, data on protected user traits, and genetic or biometric data, for example, firms that are subject to complying with the Act are required to get consent first.

The VCDPA is similar to the CCPA in that the VCDPA mandates special contracts between companies and the service providers they use to process data on their behalf. These contracts must follow the Act’s requirements and define service provider obligations with regard to the personal data they process.

In addition, the VCDPA mandates that businesses retain personal information for no longer than the period required for a specific purpose and for no longer than the period necessary to achieve the stated purpose. These concepts are known as purpose limitation and data minimization, respectively.

The VCDPA also mandates that businesses have in place and maintain adequate data security policies to safeguard the privacy, integrity, and availability of customer information.

A firm’s data security measures are likely adequate if they adhere to the recognized industry standard, taking into consideration the size and complexity of the organization and the personal data it handles; however, it is not yet clear how these reasonableness criteria will be implemented.

Finally, the VCDPA, like the General Data Protection Regulation (GDPR) of the European Union, mandates that organizations perform and document a data protection assessment before processing sensitive data or engaging in certain activities with personal data, such as targeted advertising, selling, or profiling.

Who Will Enforce the VCDPA?

The Virginia Attorney General is going to be responsible for enforcing the VCDPA, and although there’s a 30-day grace period to fix any violations, continuing to break the law beyond this point can result in a civil penalty of up to $7,500 per incident. It’s significant to note that the Act does not provide individual consumers with a private right of legal action as the CCPA does.

Regarding this last caveat, to qualify as a consumer under the VCDPA, a Virginia resident must be a natural person “acting only in an individual or household context.” (Contrast this with the CCPA, which does not restrict its definition of “consumer” to “individuals or households.”) The VCDPA also clarifies that no safeguards are afforded to those who are “acting in a commercial or employment context.”

Who Does the VCDPA Apply To?

Like the CCPA, the VCDPA can apply to companies that aren’t based in Virginia but nonetheless do business in the state. This law mandates that companies that (1) conduct business in Virginia or market to Virginia residents; and (2) either: (a) process or control the personal data of 100,000 or more Virginia residents; or (b) process or control the personal data of 25,000 or more Virginia residents and derive more than 50% of gross revenue from the sale of personal data are subject to the VCDPA.

When Did the VCDPA Become Effective?

The VCDPA went into effect on January 1, 2023, so companies need to be in compliance with it currently.

On March 2, 2021, Virginia became the second state after California to implement comprehensive data privacy legislation, adding to what’s becoming a nationwide patchwork of data privacy regulations. (The states of Nevada and Maine have also both passed data privacy laws, although they’re not considered “comprehensive” as defined by the International Association of Privacy Professionals [IAPP].)

What Do Publishers Need to Know about VCDPA?

Companies should assess their personal data processing operations, data security measures, privacy policies, and service provider contracts as soon as possible to protect themselves from the VCDPA’s enforcement. We also suggest considering the bigger picture when it comes to responding to consumer demands to enforce rights under the CCPA or the VCDPA.

Admiral, a CMP (Consent Management Platform), tracks privacy consent laws that impact online publishers in the United States and worldwide. It’s recommended that you read the CMP FAQ if you have any questions or concerns.

In addition to regulatory mandates, collecting visitor consent can establish a valuable segment of visitors to market to, and has delivered higher CPMs for some publishers.

There Will Be Stricter Data Privacy Laws Soon

The public’s attention has been drawn to data privacy as stories of data breaches, improper use of customer data, and privacy grow more common. According to the results of a Cisco survey, 84% of respondents now want more say over their data and how it’s used.

84% of respondents now want more say over their data and how it’s used. - Cisco survey

This is the tip of the iceberg for publishing companies. Illinois, Maine, Massachusetts, Nevada, New Jersey, and Pennsylvania are just a few of the states that have recently adopted data protection and privacy laws.

There’s also an effort underway to establish a federal data protection agency and national data protection rules. In anticipation, the IAB's Tech Lab has created the General Privacy Platform, a standardized compliance protocol. Admiral's Consent Management Platform is compliant with GPP and built for flexibility across states and jurisdictions.

Complying with the VCDPA, CPRA, CCPA, and GDPR

For publishers, it can be a nightmare trying to keep up with all the privacy legislation and the complexities of the GDPR, CCPA, CPRA, and VCDPA. To better handle visitor privacy and consent, many publishers have sought assistance from Admiral.

Admiral is one of the first CMPs to comply with the Interactive Advertising Bureau (IAB)’s methodology for transmitting opt-out information to downstream vendors, automatically identifying site visits from Virginia IP addresses, and giving visitors a user interface to opt-out of data sales.

Admiral's CMP is the best-value privacy consent management solution for media publishers. Schedule a demo today.

Schedule a Demo

Get a Free Account Now with Revenue Analytics Dashboard

Get Admiral Free