Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA) is a state law that gives Virginians rights over how businesses collect, use, and sell their personal data. The VCDPA was signed into law in March 2021 and went into effect on January 1, 2023, making Virginia the second state, after California, to enact comprehensive consumer data privacy legislation.

The VCDPA applies to businesses that:

• Operate in Virginia
• Target Virginia residents with their products or services
• Control or process personal data for at least 100,000 consumers
• Make more than 50% of their gross revenue from selling personal data and control or process personal data for at least 25,000 consumers

The VDCPA specifies six consumer rights:

1. the right to confirm whether a controller is processing the consumer’s personal data;
2. the right to access the personal data processed by a controller;
3. the right to correct inaccuracies in the consumer’s personal data;
4. the right to delete personal data provided by or obtained about the consumer;
5. the right to obtain a copy of the person personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format; and
6. the right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling.

The VCDPA protects two types of consumer data:

• Personal Data: any information connected or reasonably connectable to an identified or identifiable natural person. This does not include de-identified data or publicly available information.
• Sensitive Data:  a subset of personal data that includes:
  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data to uniquely identify a natural person;
  • Personal data collected from a known child; or
  • Precise geolocation data.

The VCDPA also requires businesses to obtain consent from consumers before using their data. It mandates companies to perform data protection assessments when processing personal data for targeted advertising and sales. Additionally, the law imposes certain restrictions on the use of de-identified data, which is data altered to no longer directly identify the individuals from whom it was collected.

Some entities are exempt from the VCDPA, including: Government agencies, Financial institutions, Businesses covered by HIPAA, Nonprofit organizations, and Higher education institutions.

Summary developed with support from Bloomberg Law.

Analysis

Does the policy solution re-distribute power from mainstream institutions to impacted Black community?   

The VCDPA primarily focuses on providing individual consumers with rights over their personal data rather than redistributing power to specific communities, including the Black community. However, by granting individuals more control over their data, and by having more transparency and accountability, the policy does enable consumers, including those from impacted Black communities, to have greater say over how their data is used by businesses.

Does this policy address needs impacting diverse groups within Black communities (Black femmes, Black LGBTQ+ communities, Black immigrants, people in poverty, differently abled, people impacted by justice system)? If so, how? 

The VCDPA addresses privacy needs that can impact all consumers, including diverse groups within Black communities. The law’s protections around sensitive data, such as racial or ethnic origin, health diagnosis, and precise geolocation data, are particularly relevant for marginalized groups who may face discrimination based on this information. The requirement for businesses to obtain consent before using such data helps safeguard these communities from potential misuse and exploitation.

Does this policy provide more decision-making power at the hands of Black communities?  

While the VCDPA does not specifically provide more decision-making power to Black communities, it does empower individual consumers, including members of Black communities, by granting them rights to access, correct, delete, and control the use of their personal data. The law mandates that businesses obtain consumer consent before processing sensitive data. This requirement ensures that consumers are aware of and agree to how their data will be used, providing a layer of protection against potential discriminatory practices. This increased control can indirectly support the decision-making power of Black communities over their personal information.

Does the policy undermine extractive economies like capitalism and restore community power around a local and regenerative economy/ primary production?  

The VCDPA does not directly address or undermine extractive economic systems like capitalism. Its focus is on consumer data privacy and protection rather than economic restructuring. Therefore, it does not have provisions aimed at restoring community power around local and regenerative economies.

Does the policy repair past harm and uphold civil and human rights, health and environmental protections? 

The VCDPA contributes to upholding civil and human rights by protecting consumers’ personal data and giving them control over how it is used. By requiring businesses to obtain consent for processing sensitive data, it helps protect individuals from potential harms related to misuse of their personal information. The VCDPA requires companies to conduct data protection assessments when processing personal data for targeted advertising and sales purposes. These assessments help identify and mitigate historic and ongoing risks associated with data processing, ensuring that practices do not disproportionately harm or discriminate against specific communities. However, it does not explicitly focus on repairing past harms or addressing health and environmental protections. Its primary emphasis is on data privacy and consumer rights.