Expert Commentary

VCDPA: Application, Definitions, Consumer Rights, and Obligations

The Virginia Consumer Data Protection Act (VCDPA) will become effective on January 1, 2023. This article discusses VCDPA application and definitions, consumer rights, privacy notice requirements, controller and processor responsibilities, and controller-processor contracts.


Cyber and Privacy Risk and Insurance
March 2021

The Virginia attorney general will have exclusive authority to enforce the provisions of the VCDPA.

Application and Definitions

The VCDPA applies to persons that do the following.

  • Conduct business in Virginia; or
  • Produce products or services that are targeted to Virginia residents and that;
  • During a calendar year, control or process personal data of at least 100,000 consumers; or
  • Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

"Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.

"Processor" means a natural or legal entity that processes personal data on behalf of a controller.

"Process" or "processing" means any operation or set of operations performed on personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

"Consumer" means a natural person who is a Virginia resident acting only in an individual or household context and does not include a natural person acting in a commercial or employment context.

"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data or publicly available information.

"Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.

"Sensitive data" means a category of personal data that includes the following.

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  • The personal data collected from a known child; or
  • Precise geolocation data.

"Child" means any natural person younger than 13 years of age.

"De-identified data" means data that cannot reasonably be linked to an identified or identifiable natural person or a device linked to such person.

"Pseudonymous data" means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

"Sale of personal data" means the exchange of personal data for monetary consideration by the controller to a third party and does not include the following.

  • The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • The disclosure or transfer of personal data to an affiliate of the controller;
  • The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media, and (ii) did not restrict to a specific audience; or
  • The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

"Third party" means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.

"Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

"Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests and does not include the following.

  • Advertisements based on activities within a controller's own websites or online applications;
  • Advertisements based on the context of a consumer's current search query, visit to a website, or online application;
  • Advertisements directed to a consumer in response to the consumer's request for information or feedback; or
  • Processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency.

"Decisions that produce legal or similarly significant effects concerning a consumer" means a decision made by the controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, healthcare services, or access to basic necessities, such as food and water.

"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer and may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

Consumer Rights

A consumer may invoke consumer rights at any time by submitting a request to a controller specifying the consumer rights that the consumer wishes to invoke.

Subject to certain specified exceptions, a controller must comply with an authenticated consumer request to exercise the following rights.

  • To confirm whether or not a controller is processing the consumer's personal data and to access such personal data.
  • To correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.
  • To delete personal data provided by or obtained about the consumer.
  • To obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance where the processing is carried out by automated means.
  • To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Privacy Notice Requirements

A controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following.

  • The categories of personal data processed by the controller.
  • The purpose for processing personal data.
  • How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request.
  • The categories of personal data that the controller shares with third parties, if any.
  • The categories of third parties, if any, with which the controller shares personal data.

A controller must clearly and conspicuously disclose any sale of personal data to third parties or processing of personal data for targeted advertising and the manner in which a consumer may exercise the right to opt out thereof.

A controller must establish, and shall describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights.

Controller Responsibilities

A controller must do the following.

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed as disclosed to the consumer.
  • Except as otherwise provided in the VCDPA, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data that are appropriate to the volume and nature of the personal data at issue.
  • Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers (a controller shall not discriminate against a consumer for exercising any of the consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer; however, nothing in Virginia Code § 59.1-574(A)(4) shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised his right to opt out pursuant to Virginia Code § 59.1-573 or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program).
  • Not process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act.

Processor Responsibilities

A processor must adhere to the instructions of a controller and must assist the controller in meeting its VCDPA obligations, including the following.

  • Taking into account the nature of processing and the information available to the processor by appropriate technical and organizational measures, insofar as reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests.
  • Taking into account the nature of processing and the information available to the processor by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the Virginia breach notification law, Virginia Code § 18.2-186.6, to meet the controller's obligations.
  • Providing necessary information to enable the controller to conduct and document data protection assessments under Virginia Code § 59.1-576.

Controller-Processor Contracts

A contract between a controller and a processor must do the following.

  • Govern the processor's data processing procedures with respect to processing performed on behalf of the controller; and
  • Be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

The contract also must require the processor to do the following.

  • Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
  • At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
  • Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with VCDPA obligations.
  • Allow and cooperate with reasonable assessments by the controller or the controller's designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of VCDPA obligations using an appropriate and accepted control standard or framework and assessment procedure for such assessments.
  • The processor must provide a report of such assessment to the controller upon request.
  • Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More