Virginia Follows California Lead on Data Protectionâ€”With Narrower ScopeBy: Faith D. Kasparian & Ann M. O'Rourke
March 8, 2021
On March 2, 2021, a new comprehensive data protection law was enacted in Virginia, which will become effective on January 1, 2023. The scope of the Virginia Consumer Data Protection Act (VCDPA) is narrower in many respects than the California Consumer Privacy Act (CCPA). Notably, unlike the CCPA, there is no threshold that would place a business within scope of the law based solely on the amount of its annual revenues. The VCDPA applies to entities conducting business in, or targeting products and services to residents of, Virginia and that:
- during a calendar year, control or process personal data of at least 100,000 consumers; or
- control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
The following types of entities are exempt from the Virginia law:
- Virginia state or local governmental entities.
- Financial institutions or personal data subject to the Gramm-Leach-Bliley Act.
- Covered entities and business associates subject to the privacy, security, or breach notification rules under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act.
- Nonprofit organizations.
- Higher education institutions.
In addition, the VCDPA regulates only “consumer” information – meaning the information of a natural person who is a Virginia resident acting only in an individual or household context. Employee information and business-to-business (B2B) contact information are outside the scope of the VCDPA.
Despite its narrower scope, the VCDPA affords consumers many of the same rights as the CCPA regarding their personal data and places numerous obligations on businesses handling this data if they are within the scope of the law.