Virginia’s New Amendments to the VCDPA

Background

Virginia is one of only a handful of states thus far with a comprehensive law governing data privacy. (Read more about the VCDPA here). The VCDPA applies to businesses that either:

(1) Conduct business in Virginia or produce products or services that are targeted to Virginia residents.

(2) During a calendar year—

(i) Control or process personal data of at least 100,000 consumers.

(ii) Control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.

The VCDPA contains many broad exemptions, such as for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA), as well as nonprofits and institutions of higher education. Where the VCDPA applies, it grants certain rights to consumers concerning their data, namely the right to access their personal data, the right to correct inaccuracies in their personal data, the right to data portability, the right to opt out of certain processing and the right to delete their personal data.

Unlike California (via the California Privacy Rights Act (CPRA)), Virginia does not have a dedicated privacy agency to promulgate regulations. Instead, the VCDPA-created Virginia Consumer Data Protection Work Group met over the course of 2021 to recommend changes to the law, releasing its final report in November. The recommendations of this working group resulted in these three amendments.

New Right to Delete Exemption

With the signing of HB 381, the VCDPA gains a new exemption to the right to delete personal data.² Specifically, organizations that determine the purpose and means of processing consumer personal data (“controllers”) will not always have to delete personal data upon request. The amendment states that data controllers that have obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete this data by either:

1. Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumers’ personal data remains deleted from the business’s records and not using such retained data for any other purpose.
2. Opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the VCDPA.³

This new deletion exemption will be beneficial to data brokers and other companies that do not directly obtain personal data from consumers, enabling them to more easily comply with data deletion requests.

Repeal of Consumer Privacy Fund

The Governor signed identical bills SB 534 and HB 714, which alter the funding structure for enforcement of the VCDPA. While the original language of the VCDPA provided for the creation of a Consumer Privacy Fund, now all “civil penalties, expenses, and attorney fees collected pursuant to [the VCDPA] shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation and Enforcement Revolving Trust Fund.”⁴ This change pertains only to enforcement funding and does not affect company obligations under the law.

Expanded Definition of “Nonprofit Organization”

The aforementioned bills also amend the definition of “nonprofit organization” to include political organizations.⁵ As noted above, nonprofit organizations are exempt from compliance with the VCDPA. A “political organization” is defined by this amendment as:

“a party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.”⁶

Takeaways

With these amendments signed into law by Gov. Youngkin, the VCDPA text is likely final in advance of its January 1, 2023, effective date. Companies covered by the VCDPA should incorporate these amendments into their VCDPA compliance plans, taking measure of how features such as the new right to delete exemption (a feature present in Utah’s new law) will affect their practices. The changes do not greatly alter the VCDPA, only providing more business-friendly clarifications to an already business-friendly data privacy law.

Please contact a member of Akin Gump’s cybersecurity, privacy and data protection team if you have any questions about these amendments or how they will affect your company’s data or privacy plans.

¹ Virginia Gov. Glenn Youngkin signed three bills amending the VCDPA and the bills, while technically taking effect July 1, 2022, by procedure, do not become effective and enforced until January 1, 2023.

² Virginia lawmakers passed identical bills HB 381 and SB 393. Gov. Youngkin vetoed the latter while signing the former.

³ H.B. 381 § 59.1-577(B)(5).

⁴ S.B. 534 § 59.1-584(C).

⁵ S.B. 534 § 59.1-575.

⁶ Id. § 59.1-575.