Virginia Consumer Data Protection Act

At-A-Glance

On March 2, 2021, Virginia Governor Ralph Northan signed the Consumer Data Protection Act. Some key points are as follows;

• This act is effective on January 1, 2023.
• This act protects personal data when an individual is acting as the consumer.
• The act applies to businesses that control or process personal data of at least 100,000 consumers or control or process personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data.
• There are specific organizations exempt from this Act.

Eligibility

The Act applies to organizations that conduct business in Virginia or produce products or services that are targeted to residents of Virginia that; during a calendar year, control or process personal data of at least 100,000 consumers; or control or process personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data.

Notably, this act does not apply data collected about individuals in an employment context. The following organizations are exempt from the Act: 

• Commonwealth of Virginia bodies, authorities, bureaus, commissions, districts or agencies, and any political subdivisions;
• Financial institutions subject to the Gramm-Leach-Bliley Act;
• Covered entities or business associates subject to the Health Insurance Portability and Accountability Act (HIPAA);
• Nonprofit organizations; and
• Institutions of higher education.

General Requirements

The Act states several requirements for employers who are processing personal data. These obligations are as follows:

• Data Minimization: employers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for the data processing;
• Purpose Limitations: employers must process personal data only for purposes reasonably necessary or compatible with the purposes disclosed in the employers’ privacy policy;
• Security Controls: employers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality of personal data;
• Consent: employers must obtain express consent from consumers when the employer processes sensitive data or when the employer deviates from the purposes disclosed within the business’ privacy policy; and
• Data Protection Assessments: employers must conduct data protection assessments to evaluate the risks associated with the specific data processing activities.

The Consumer Data Protection Act requires businesses to have written agreements with third-party vendors to outline the scope of data processing. The CDPA lists out specific requirements that need to be included in the agreement.

Consumer Privacy Rights

The CDPA states out six privacy rights for Virginia consumers. These rights are as follows:

• Right to access;
• Right to rectification;
• Right to deletion;
• Right to data portability;
• Right to object to data processing; and
• Right to be free from discrimination.

Penalties

The CDPA will be enforced by the Virginia Attorney General, and there will be a Consumer Privacy Fund to ensure resources are allocated for enforcement. Notably, there is not a private right of action. Penalty amounts up to $7,500 per violation.

Thank you for choosing Paylocity as your Payroll Tax and HCM partner.

This information is provided as a courtesy, may change, and is not intended as legal or tax guidance. Employers with questions or concerns outside the scope of a Payroll Service Provider are encouraged to seek the advice of a qualified CPA, Tax Attorney or Advisor.