Virginia Consumer Data Protection Act (VCDPA)

Virginia Consumer Data Protection Act (VCDPA): A Comprehensive Guide for CIPP/US Exam Preparation

Introduction to the Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) is one of the most significant state-level privacy laws in the United States, signed into law on March 2, 2021, and effective as of January 1, 2023. Virginia became the second state after California to enact a comprehensive consumer data privacy law, and the VCDPA has since served as a model for many other state privacy laws across the country. Understanding the VCDPA is essential for CIPP/US exam candidates, as it represents a critical piece of the evolving U.S. state privacy landscape.

Why the VCDPA Is Important

The VCDPA is important for several key reasons:

1. Second Comprehensive State Privacy Law: As the second comprehensive state privacy law enacted in the U.S. (after the California Consumer Privacy Act/CCPA), the VCDPA signaled a growing trend toward state-level privacy regulation in the absence of a federal comprehensive privacy law.

2. Legislative Model for Other States: The VCDPA's structure and approach have been widely replicated. States such as Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, and Oregon have adopted laws that closely mirror the VCDPA framework, making it a de facto template for state privacy legislation.

3. Business-Friendly Approach: Unlike the CCPA, the VCDPA was largely drafted with input from the technology industry, resulting in a law that is often considered more business-friendly. This distinction is important to understand for exam purposes.

4. GDPR Influence: The VCDPA borrows several concepts from the European Union's General Data Protection Regulation (GDPR), including the controller/processor distinction, data protection assessments, and the concept of consent for sensitive data processing. Understanding these parallels is crucial.

5. No Private Right of Action: The VCDPA does not provide consumers with a private right of action, which is a significant distinction from the CCPA. Enforcement is vested exclusively in the Virginia Attorney General.

What the VCDPA Is: Key Definitions and Scope

Applicability:
The VCDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:
- During a calendar year, control or process personal data of at least 100,000 consumers; OR
- Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Note: "Consumer" under the VCDPA means a natural person who is a Virginia resident acting only in an individual or household context. It does not include individuals acting in a commercial or employment context.

Key Definitions:

- Personal Data: Any information that is linked or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data or publicly available information.

- Controller: A natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.

- Processor: A natural or legal person that processes personal data on behalf of a controller.

- Sale of Personal Data: The exchange of personal data for monetary consideration by the controller to a third party. This is a narrower definition than the CCPA's, as it does not include exchanges for "other valuable consideration."

- Sensitive Data: Includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; processing of genetic or biometric data for identification purposes; personal data collected from a known child; and precise geolocation data.

- Targeted Advertising: Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests. It does not include advertisements based on activities within a controller's own websites or advertisements based on the context of a consumer's current search query or visit.

Exemptions:
The VCDPA contains entity-level and data-level exemptions:

- Entity-Level Exemptions: Government entities, nonprofits, institutions of higher education, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and entities subject to HIPAA/HITECH.

- Data-Level Exemptions: Data regulated under GLBA, HIPAA/HITECH, the Fair Credit Reporting Act (FCRA), the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act (FERPA), the Farm Credit Act, and certain employment-related data.

How the VCDPA Works: Core Requirements and Consumer Rights

Consumer Rights Under the VCDPA:

The VCDPA grants Virginia consumers the following rights:

1. Right to Access: The right to confirm whether a controller is processing their personal data and to access such data.

2. Right to Correction: The right to correct inaccuracies in their personal data.

3. Right to Deletion: The right to delete personal data provided by or obtained about the consumer.

4. Right to Data Portability: The right to obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.

5. Right to Opt Out of:
- The sale of personal data
- Targeted advertising
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

Note: Unlike the CCPA, the VCDPA does not include a right to opt out of "sharing" as a separate concept, nor does it provide a right to limit the use of sensitive personal information. Instead, the VCDPA requires opt-in consent for processing sensitive data.

Controller Obligations:

Controllers under the VCDPA must:

1. Limit Data Collection: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed (data minimization).

2. Purpose Limitation: Not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes, unless the consumer provides consent.

3. Security: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

4. Non-Discrimination: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. Controllers may not discriminate against consumers for exercising their rights.

5. Privacy Notice: Provide a reasonably accessible, clear, and meaningful privacy notice that includes:
- Categories of personal data processed
- Purposes for processing
- How consumers may exercise their rights, including the right to appeal
- Categories of personal data shared with third parties
- Categories of third parties with whom data is shared
- Whether the controller sells personal data or processes it for targeted advertising

6. Consent for Sensitive Data: Obtain the consumer's opt-in consent before processing sensitive data. This includes parental consent (compliant with COPPA) for processing data of known children under 13.

7. Data Protection Assessments: Conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including:
- Processing for targeted advertising
- Sale of personal data
- Processing for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial/physical/reputational injury, intrusion on solitude/seclusion, or other substantial injury
- Processing of sensitive data
- Any processing that presents a heightened risk of harm

Data protection assessments must weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the consumer, mitigated by safeguards the controller can employ.

Processor Obligations:

Processors must:
- Adhere to the controller's instructions
- Assist the controller in meeting its obligations under the VCDPA
- Enter into a contract with the controller that governs the processor's data processing procedures, including:
- Instructions for processing
- Nature and purpose of processing
- Type of data subject to processing
- Duration of processing
- Rights and obligations of both parties
- Requirement for subcontractor agreements
- Obligation to delete or return data upon request
- Obligation to make available information to demonstrate compliance
- Obligation to allow and cooperate with reasonable audits/assessments

Responding to Consumer Requests:

- Controllers must respond to consumer requests within 45 days, with the possibility of a 45-day extension when reasonably necessary (with notice to the consumer).
- If a controller declines to take action on a request, the consumer must be informed without undue delay, within 45 days, of the reasons and instructions on how to appeal.
- Controllers must establish an internal appeal process. If the appeal is denied, the consumer must be provided with an online mechanism or other method to contact the Virginia Attorney General to submit a complaint.

Enforcement and Penalties

- Exclusive enforcement by the Virginia Attorney General.
- No private right of action — consumers cannot sue directly under the VCDPA.
- Right to Cure: Originally, the VCDPA included a 30-day cure period, meaning the Attorney General was required to provide a controller with written notice of an alleged violation and a 30-day opportunity to cure before enforcement action. Note: As of January 1, 2025, the mandatory cure period was eliminated by amendment, and the Attorney General now has discretion on whether to offer a cure opportunity, considering factors such as the number of violations, the controller's size and complexity, and the nature and extent of processing activities.
- Violations are enforceable under the Virginia Consumer Protection Act, with civil penalties of up to $7,500 per violation, plus attorney's fees and investigative costs.

Key Distinctions Between the VCDPA and Other State Privacy Laws

VCDPA vs. CCPA/CPRA:
- The VCDPA uses a controller/processor framework (like the GDPR); the CCPA uses business/service provider/contractor terminology.
- The VCDPA's definition of "sale" is limited to monetary consideration only; the CCPA includes "other valuable consideration."
- The VCDPA requires opt-in consent for sensitive data processing; the CPRA allows consumers to limit the use and disclosure of sensitive personal information (an opt-out right).
- The VCDPA has no private right of action; the CCPA provides a limited private right of action for data breaches involving certain categories of personal information.
- The VCDPA does not have a revenue-based threshold; the CCPA applies to businesses with annual gross revenues exceeding $25 million.
- The VCDPA exempts nonprofits; the CCPA does not have a blanket nonprofit exemption.
- The VCDPA does not include a right to know the specific pieces of personal information collected in the same manner as the CCPA (though the right to access serves a similar function).

VCDPA vs. Colorado Privacy Act (CPA):
- Both are very similar in structure and provisions.
- The CPA includes universal opt-out mechanism requirements; the VCDPA originally did not but has been amended to require controllers to recognize universal opt-out signals.
- The CPA applies to nonprofits; the VCDPA does not.

VCDPA vs. Connecticut Data Privacy Act (CTDPA):
- Very similar frameworks.
- Connecticut requires recognition of universal opt-out mechanisms.
- Connecticut includes loyalty program exemptions and specific provisions related to children's data.

Amendments and Updates

The VCDPA has been amended since its original enactment. Key amendments include:
- Elimination of the mandatory 30-day cure period (effective January 1, 2025), granting the Attorney General discretion.
- Requirement to recognize universal opt-out mechanisms for opting out of the sale of personal data and targeted advertising (effective January 1, 2025).
- Requirements related to the processing of children's data and additional protections.

Exam candidates should be aware of these amendments and their effective dates.

Exam Tips: Answering Questions on the Virginia Consumer Data Protection Act (VCDPA)

1. Know the Thresholds: Memorize the two applicability thresholds — 100,000 consumers, or 25,000 consumers plus over 50% of gross revenue from the sale of personal data. Remember that these relate to Virginia residents only and that the VCDPA does not have a revenue-based threshold like the CCPA.

2. Understand the "Sale" Definition: The VCDPA defines "sale" as exchange for monetary consideration only. This is a frequently tested distinction from the CCPA, which includes "other valuable consideration." If an exam question asks about what constitutes a sale under the VCDPA, remember this narrower definition.

3. Sensitive Data = Opt-In Consent: A high-yield exam topic is that the VCDPA requires opt-in consent for processing sensitive data. Be able to identify what constitutes sensitive data (racial/ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship/immigration status, genetic data, biometric data, data from known children, precise geolocation). Compare this to the CPRA's approach, which provides an opt-out right to limit the use of sensitive personal information.

4. No Private Right of Action: This is one of the most commonly tested points. The VCDPA is enforced exclusively by the Virginia Attorney General. Consumers cannot bring lawsuits directly under the VCDPA.

5. Controller/Processor Distinction: The VCDPA uses GDPR-like terminology (controller and processor), not the CCPA's terminology (business and service provider). Know the obligations of each and the required contractual provisions between controllers and processors.

6. Know the Consumer Rights: Be able to list all five consumer rights (access, correction, deletion, data portability, opt-out of sale/targeted advertising/profiling). Remember that the VCDPA does not include a right to limit the use of sensitive data (it uses opt-in consent instead) and does not include a right to opt out of "sharing" as a separate concept.

7. Response Timeline: 45 days to respond, with a possible 45-day extension. This is the same as the CCPA. Remember the appeal process requirement.

8. Data Protection Assessments: Know when they are required (targeted advertising, sale, profiling with risk of harm, sensitive data processing). Understand that these are similar to DPIAs under the GDPR.

9. Entity-Level Exemptions: Memorize the key exemptions — government entities, nonprofits, higher education institutions, GLBA-covered entities, and HIPAA-covered entities. The nonprofit exemption is a key distinction from the CCPA and the Colorado Privacy Act.

10. The Consumer Definition: "Consumer" under the VCDPA means a Virginia resident acting in an individual or household context. It excludes individuals acting in a commercial or employment context. This is different from the CCPA, which initially included employees and B2B contacts.

11. Cure Period Changes: Be aware that the mandatory 30-day cure period has been eliminated as of January 1, 2025. The Attorney General now has discretion. If an exam question references the cure period, pay attention to the date context of the question.

12. Universal Opt-Out Mechanisms: As of 2025, the VCDPA requires controllers to recognize universal opt-out mechanisms. This brings it more in line with Colorado and Connecticut.

13. Comparison Questions: Many exam questions ask you to compare the VCDPA with the CCPA/CPRA, CPA, or CTDPA. Focus on:
- Sale definition (monetary only vs. monetary + other valuable consideration)
- Sensitive data approach (opt-in vs. opt-out/limit)
- Private right of action (none vs. limited)
- Nonprofit exemption (yes vs. no)
- Revenue threshold (none vs. $25 million)
- Terminology (controller/processor vs. business/service provider)

14. Practice Elimination: On multiple-choice questions, use the process of elimination. If an answer choice mentions a private right of action under the VCDPA, you can immediately eliminate it. If an answer mentions "other valuable consideration" in the VCDPA's sale definition, eliminate it.

15. Read Questions Carefully: Pay close attention to whether the question asks about the VCDPA specifically or about Virginia privacy law generally. Also note whether the question is asking about the original version of the VCDPA or the amended version.

16. Data Minimization and Purpose Limitation: The VCDPA includes both data minimization and purpose limitation principles, which are core GDPR concepts. Know that controllers must limit collection to what is adequate, relevant, and reasonably necessary, and must not process data for incompatible purposes without consent.

17. Penalties: Remember that violations are enforced under the Virginia Consumer Protection Act with penalties of up to $7,500 per violation.

Summary Checklist for VCDPA Exam Preparation:

✓ Applicability thresholds (100K consumers or 25K + 50% revenue from sales)
✓ Definition of consumer (individual/household context, Virginia resident)
✓ Definition of sale (monetary consideration only)
✓ Five consumer rights (access, correction, deletion, portability, opt-out)
✓ Opt-in consent for sensitive data
✓ Categories of sensitive data
✓ Data protection assessment requirements
✓ Controller and processor obligations
✓ Privacy notice requirements
✓ 45-day response period (+ 45-day extension)
✓ Internal appeal process
✓ No private right of action
✓ AG enforcement only, up to $7,500 per violation
✓ Entity and data-level exemptions
✓ Cure period changes (eliminated mandatory cure as of 2025)
✓ Universal opt-out mechanism requirements
✓ Key distinctions from CCPA/CPRA, CPA, CTDPA

By thoroughly understanding these elements and practicing comparison-based analysis, you will be well-prepared to answer VCDPA questions confidently on the CIPP/US exam.