In addition to a night of revelry, the 2023 new year will trigger the many new privacy mandates in the Virginia Consumer Data Protection Act (VCDPA) for businesses operating in Virginia — only the second state with active consumer privacy legislation behind California, with other states’ privacy laws, such as Colorado, Connecticut and Utah, taking effect later this year. Virginia Attorney General Miyares is no doubt eager to flex his new authority under the VCDPA, meaning companies that process, collect, or sell Virginians’ personal information should carefully read the VCDPA to ensure their compliance with the new law.
Troutman Pepper has covered the VCDPA since the bill became law in March 2021. Our Virginia Consumer Data Protection Act Series provides a detailed overview of the VCDPA, while also comparing it to California’s Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Modeled in part on the CCPA/CPRA and the EU’s General Data Protection Regulation (GDPR), the VCDPA will give Virginians several new consumer privacy rights over their “personal information,” including the right to access, the right of rectification, the right to delete, the right to opt out, the right of portability, and the right against automatic decision making. Notably, unlike California’s privacy law, the VCDPA does not provide for rulemaking by the AG, thus, the act itself determines compliance, not government office or agency-passed rules.
As the VCDPA takes effect, it is important for entities doing business with Virginians to recognize that the VCDPA broadly defines “personal information” as “any information that is linked or reasonably linked to an identified or identifiable natural person” and adds a more protected subcategory of personal data called “sensitive data,” which includes all data revealing demographic information, religious beliefs, health diagnoses, sexual orientation, immigration status, genetic/biometric information, any data collected from a child, or precise geolocation. Entities must “conduct and document a data protection assessment” if they process any sensitive data, sell personal data, or process personal data for targeted advertising or profiling purposes, among many other requirements.
During the 2022 legislative session, the Virginia legislature passed multiple amendments to the VCDPA. The first set of amendments established a new exception to the VCDPA’s right to delete, applicable when a source other than the consumer collects personal data. Under this new exception, data is considered deleted if (1) a minimal record of the deletion request is retained for the exclusive purpose of ensuring the consumer’s data is/remains erased; or (2) the consumer has opted out of all nonexempt data processing activities (e.g., targeted advertising and sales). The second set of amendments eliminates the VCDPA’s “Consumer Privacy Fund” and diverts all funds collected under this law to the state treasury’s Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. These amendments also redefine “nonprofit organizations” to include tax exempt political organizations.
Although the VCDPA is only the second comprehensive consumer privacy law in the United States and Virginia’s first comprehensive privacy law, it should not be read in isolation from the commonwealth’s existing framework of privacy-related laws. As Troutman Pepper reported in November 2022, Virginia has already enacted a number of privacy statutes, such as the Personal Information Privacy Act (PIPA), Insurance Data Security Act (IDSA), and Data Breach Notification Law (DBNL), which require certain entities doing business with Virginians to carefully consider cybersecurity and consumer privacy obligations when dealing with consumer data. As a result, entities should remain mindful of any applicable requirements under Virginia’s pre-existing network of related laws, such as the PIPA, IDSA, and DBNL, which the VCDPA will add to — not replace.
Why This Matters
In an environment consisting of a patchwork of state-level privacy legislation that affects how businesses use and interact with consumer data, companies need to consider working with outside counsel to develop a consumer privacy compliance program that — in addition to complying with relevant obligations under the jurisdictions with consumer privacy laws, such as Virginia and California — allows for some flexibility as statehouses across the country pass new consumer privacy laws and regulations in the coming years.
Troutman Pepper State Attorneys General Team
Ashley Taylor – Co-leader and Firm Vice Chair Ashley is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. He focuses primarily on federal and state government regulatory and enforcement matters involving state attorneys general, the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC). Drawing upon his experience as a deputy attorney general, Ashley has developed an extensive consumer practice with regard to the consumer financial services industry. | |
Clay Friedman – Co-leader Clay is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. Informed by nearly a decade in a state attorneys general office, and more than 25 years in private practice, Clay spends much of his time representing clients in singular or multistate regulatory actions. Clay has repeatedly led teams before all 50 state attorneys general and also handles matters with the Federal Trade Commission, the Consumer Financial Protection Bureau, and other local, state and federal agencies. | |
Stephen Piepgrass Stephen represents clients interacting with, and being investigated by, state attorneys general and other enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, particularly in heavily regulated industries. | |
Michael Yaghi Michael handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation. | |
Avi Schick A former deputy attorney general of New York, Avi applies his experience in bet-the-company matters, representing clients in criminal and civil investigations and enforcement actions before state and federal regulators, prosecutors and enforcement agencies. | |
Ketan Bhirud As a former government official at the state and federal level, Ketan leverages extensive experience in the public and private sectors to skillfully represent client interests. | |
Chris Carlson Chris represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general. | |
Natalia Jacobo Natalia is an associate in the firm’s business litigation practice. She recently received her J.D from the University of California, Davis School of Law. | |
Namrata Kang Namrata is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. Her work includes advising clients in regulatory investigations and compliance matters, in addition to representing clients in civil litigation matters. | |
Susan Nikdel Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes. Susan also represents banks, fintechs, and financial services companies in connection with regulatory examinations and investigations brought by the CFPB, state attorneys general, and the California Department of Financial Protection and Innovation. | |
Whitney Shepard Whitney is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation. | |
Trey Smith Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement practice. His experience includes serving as a summer associate at the firm in 2021. | |
Daniel Waltz An experienced litigator, Daniel advises and represents regional, national and international companies, financial institutions and insurers in all facets of business, complex commercial and insurance coverage litigation. He is committed to working with his clients to find creative solutions to meet their needs. | |
Stephanie Kozol Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department. |