In the last few years, we have seen an increased emphasis on data privacy in the legal sphere. The European Union (EU) adopted the General Data Protection Regulation (GDPR) in 2016 with the goal of protecting the personal data of individuals living in the EU. In the United States, California passed the California Consumer Privacy Act (CCPA) in 2018, taking clear inspiration from the GDPR.
Continuing that trend, the Virginia Consumer Data Protection Act (VCDPA) was signed into law on March 2, 2021 and will come into effect on January 1, 2023. This law will make Virginia the second state to enact privacy laws after California. The VCDPA draws from other privacy laws like the CCPA and the GDPR, and it has received support from technology industry trade groups as well as hotshot businesses like Amazon and Microsoft.
What is the VCDPA?
The VCDPA grants Virginia residents the right to access, correct, delete, know, and opt out of the sale and processing of their personal information for targeted advertising purposes. This statute defines personal data as information that is linked or reasonably linkable to an identified or identifiable person. However, the VCDPA does exclude employment data, personal data that cannot be attributed to an individual without additional information, and de-identified data or publicly available information.
If an entity does not provide Virginia residents with the proper rights over their personal information, then the Attorney General can decide whether to enforce the statute. The organization will then receive a written notice from the Attorney General identifying the alleged violations, and they will have thirty days to undo violations before the law is enforced.
What Organizations are affected?
The VCDPA applies to all entities that do the following:
- Conduct business in Virginia or offer products and services to residents of Virginia and either:
- Control or process personal data of at least 100,000 Virginia residents
- Derive over 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents
The following five entities are entirely exempt from the VCDPA even if they meet the previous requirements:
- Virginia state bodies and agencies
- Financial institutions and data subject to the Gramm-Leach-Bliley Act
- Entities or business associates covered under the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act
- Nonprofit organizations
- Institutions of higher education
Why is this Important for the Nonprofit Community?
While the VCDPA does not currently apply to nonprofit organizations, we don’t yet know how consumers and businesses will interact within the law or how the Attorney General will interpret certain aspects of the law. Nonprofit organizations should still keep an eye on how the VCDPA is being enforced in case it shifts to include nonprofits.
The enactment of VCDPA and other data privacy regulations may also set precedents for future laws that will affect nonprofit organizations. Shortly after the VCPDA was passed, Colorado enacted the Colorado Privacy Act on July 8, 2021, making them the third state after Virginia to pass their own data privacy law. Currently, New Jersey, New York, Washington, Minnesota, and Oklahoma are planning to enact similar laws. If your nonprofit works with more than one state in the US, then it is important to stay on top of how the law is shifting since data privacy laws will vary by state.
If you ever feel overwhelmed by the world of data privacy regulations, we recommend that you contact your legal counsel. However, DelCor can help get you started by reviewing your data policies and identifying areas of concern.