On March 2, 2021, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (“VCDPA”), making Virginia the second state to enact its own comprehensive data protection law. The Act governs data collection, processing, storage and destruction by data controllers and processors — defined as entities that conduct business in the Commonwealth of Virginia and either process the personal data of 100,000 or more individuals annually or obtain half of their gross revenue from the sale of personal data while controlling or processing the personal data of 25,000 consumers. The VCDPA does not apply to government agencies, most financial institutions, or entities governed by the Health Insurance Portability and Accountability Act (and its amendments).
The new law adopts the concept of “data controllers” and “data processors” from the European Union’s General Data Protection Regulation (“GDPR”), along with many of the GDPRs attendant roles and responsibilities (such as contractual obligations between controllers and processors). The VCDPA further gives consumers the right to access, correct, delete, obtain copies of, and opt out of the processing of their data for advertising purposes, and provides a mechanism for consumers to invoke these rights. It does not grant consumers a private right of action, and can be enforced solely by the state’s attorney general. The VCDPA will become effective on January 1, 2023.