Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


10:00 AM
Connect Directly
E-Mail vvv

Virginia Takes Different Tack Than California With Data Privacy Law

Online businesses targeting Virginia consumers and have personal data of 100,000 consumers in the state must conform to the new statute.

Rarely do Virginia and California fall into the same legislative camp, but if the Virginia Consumer Data Protection Act is signed by its governor (as is widely expected), both states will have a sweeping data privacy act. And in the absence of a federal data privacy law, individual states continue to fill gaps centered on consumers, businesses, and the collection of data.

Who's Covered By VCDPA
Businesses that "conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data."   

Related Content:

What You Need to Know About California's New Privacy Rules

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Fighting Fileless Malware, Part 2: Countermeasures

Remember that conducting business in the age of e-commerce can mean simply operating a website that targets residents in Virginia. Thus, if you are a business with a website targeting Virginia consumers and have the personal data of at least 100,000 of those consumers, you likely fall under the arm of the statute and need to take steps to comply. This is a notable departure from California's CCPA, which centers on businesses with a $25 million revenue threshold; possess personal data of more than 50,0000 consumers; or earn more than half their annual revenue selling consumers' personal data. Virginia's legislation centers instead solely on Virginia consumers served or data sold.

A series of businesses are exempt from VCDPA, including those that fall under HIPAA or Graham-Leach-Bliley financial regulations, nonprofit organizations, institutions of higher education, and governmental entities in Virginia.

What Is Personal Data Under VCDPA?
The act defines personal data as "any information that is linked or reasonably linked to an identifiable or identifiable natural person." It does not include de-identified data or publicly available data. And, most notably, it also does not include a "natural person acting in a commercial or employment context." In other words, personal data applies almost strictly to consumer data. The act exempts data generated for business contacts or information held on employees.

VCDPA creates a second threshold for "sensitive data," which it defines as data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status.

Business-to-business communications and contacts are specifically also carved out, relying instead on consumer-driven data collection. Thus, if you are a business that operates by sales teams reaching out directly to other businesses, you may not fall under the definition of "personal data" as the  VCDPA defines it. Similarly, photographs, videos, and audio recordings are exempt from the definition of biometric data.

The VCDPA grants rights to consumers to confirm the personal data being processed by a business, to obtain a copy of that data, or to request the business delete that personal data. And, notably, the act allows that a consumer may opt out of the processing of the personal data for targeted advertising, sale, or profiling of the consumer. 

The Compliance Countdown Is On 
The act takes effect Jan. 1, 2023, a compliance deadline that also lines up with the recently passed California Consumer Rights Act. 

This will most certainly continue to drive the conversation toward a federal data privacy act. Right now, a patchwork of states are creating laws that are driving the consumer data privacy conversation. If the governor signs the VCDPA as expected, Virginia will have beaten Maryland, Minnesota, New York, and Washington to the punch in a national conversation.  

Security Professionals Must Be Particularly Mindful 
The VCDPA requires that businesses "establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data." The act goes a step further and adds these teeth: "Such data security practices shall be appropriate to the volume and nature of the personal data at issue." In other words, if a business is storing or processing high volumes of consumer information, it will be held to a higher standard. 

The VCDPA requires that businesses "limit the collection of personal data to what is adequate, relevant, and reasonably necessary." In other words, businesses must be mindful of how they collect information and the duration for which they store this data. As many security professionals know, this is in many ways mission critical to limiting the fallout zone of a future potential data incident. The less sensitive data a business stores, the less risk the organization shoulders if an incident occurs.

The VCDPA will continue to push forward the national conversation on data privacy rights and the security of consumer data. Privacy and security go hand in hand under these data privacy acts showing that many companies must not only defend against external forces attempting to access data but also improper internal collection of consumer information.  

Rather than wait for January 2023, all businesses — especially those with a national footprint — are well served to begin analyzing their data footprints now and taking steps toward compliance with Virginia and California's new enhanced privacy protections for consumers.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/3/2021 | 9:50:22 PM
Great article
Great article, Beth!  I agree that that separate states enacting privacy laws will hopefully push us toward a comprohensive federal policy.  It's a complex and important issue and we shouldn't approach it in a piecemeal manner.  
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.