VCDPA: Assessments, De-identified Data, Enforcement, and Exceptions

Data Protection Assessments

Data protection assessment requirements will apply to processing activities created or generated after January 1, 2023, and are not retroactive.

A controller must conduct and document a data protection assessment of each of the following processing activities involving personal data.

• Processing of personal data for purposes of targeted advertising.
• Sale of personal data.
• Processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers.
• Processing of sensitive data.
• Any processing activities involving personal data that present a heightened risk of harm to consumers.

Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.

The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller.

A single data protection assessment may address a comparable set of processing operations that include similar activities.

De-identified Data

A controller in possession of de-identified data must do all of the following.

• Take reasonable measures to ensure that the data cannot be associated with a natural person.
• Publicly commit to maintaining and using de-identified data without attempting to re-identify the data.
• Contractually obligate any recipients of the de-identified data to comply with all provisions of the VCDPA.

A controller that discloses pseudonymous data or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and must take appropriate steps to address any breaches of those contractual commitments.

Enforcement

The Virginia attorney general will have exclusive authority to enforce the provisions of the VCDPA.

If a controller or processor continues to violate the VCDPA following a 30-day written notice (including a cure period) provided by the Virginia attorney general thereof or breaches an express written statement provided to the Virginia attorney general, the Virginia attorney general may initiate an action and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation under the VCDPA.

The Virginia attorney general may recover reasonable expenses incurred in investigating and preparing the case, including attorneys' fees, in any action initiated under the VCDPA.

Nothing in the VCDPA shall be construed as providing the basis for, or be subject to, a private right of action for violations of the VCDPA or under any other law.

Exceptions

The VCDPA shall not apply to any of the following.

• Virginia body, authority, board, bureau, commission, district, or agency or any political subdivision thereof;
• Financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act;
• Covered entity or business associate governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act;
• Nonprofit organization; or
• Institution of higher education.

The following information and data are exempt from the VCDPA.

• Protected health information under HIPAA.
• Health records for purposes of Title 32.1.
• Patient identifying information for purposes of 42 U.S.C. § 290dd-2.
• Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in the VCDPA, or other research conducted in accordance with applicable law.
• Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986.
• Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act.
• Information derived from any of the healthcare-related information listed in Virginia Code § 59.1-572(C) that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA.
• Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as information exempt under Virginia Code § 59.1-572(C) that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. § 290dd-2.
• Information used only for public health activities and purposes as authorized by HIPAA.
• The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act.
• Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994.
• Personal data regulated by the federal Family Educational Rights and Privacy Act.
• Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act.
• Data processed or maintained (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role, (ii) as the emergency contact information of an individual under the VCDPA used for emergency contact purposes, or (iii) that is necessary to retain to administer benefits for another individual relating to the individual under clause (i) and used for the purposes of administering those benefits.

Nothing in the VCDPA shall be construed to restrict a controller's or processor's ability to do the following.

• Comply with federal, state, or local laws, rules, or regulations.
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities.
• Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.
• Investigate, establish, exercise, prepare for, or defend legal claims.
• Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract.
• Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person and where the processing cannot be manifestly based on another legal basis.
• Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
• Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine (i) if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; (ii) the expected benefits of the research outweigh the privacy risks; and (iii) if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.
• Assist another controller, processor, or third party with any of the obligations under Virginia Code § 59.1-578(A).

The obligations imposed on controllers or processors under the VCDPA shall not restrict a controller's or processor's ability to collect, use, or retain data to do the following.

• Conduct internal research to develop, improve, or repair products, services, or technology.
• Effectuate a product recall.
• Identify and repair technical errors that impair existing or intended functionality.
• Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

The obligations imposed on controllers or processors under the VCDPA shall not apply where compliance by the controller or processor with the VCDPA would violate an evidentiary privilege under the laws of Virginia.

Nothing in the VCDPA shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of Virginia as part of a privileged communication.

Nothing in the VCDPA shall be construed as an obligation imposed on controllers and processors that adversely affects the rights or freedoms of any persons, such as exercising the right of free speech pursuant to the First Amendment to the US Constitution, or applies to the processing of personal data by a person in the course of a purely personal or household activity.

Personal data processed by a controller pursuant to Virginia Code § 59.1-578 may be processed to the extent that such processing is all of the following.

• Reasonably necessary and proportionate to the purposes listed in Virginia Code § 59.1-578.
• Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in Virginia Code § 59.1-578.

Personal data collected, used, or retained pursuant to Virginia Code § 59.1-578(B) shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of personal data.

Personal data processed by a controller pursuant to Virginia Code § 59.1-578 shall not be processed for any purpose other than those expressly listed in Virginia Code § 59.1-578 unless otherwise allowed by the VCDPA.

If a controller processes personal data pursuant to an exemption in Virginia Code § 59.1-578, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in Virginia Code § 59.1-578(F).