Written by Mark Bowers
On March 2, 2021, the Virginia Consumer Data Protection Act (“VCDPA”) was signed into law effective from 1 January 2023.
The privacy regime created by the VCDPA draws heavily from laws and regulations in effect, such as California’s enactment of the Consumer Privacy Act (“CCPA”) and the European Union General Data Protection Regulation 2016/679 (“GDPR”). The provisions of the VCDPA outline responsibilities and privacy protection standards for both “data controllers” and “processors,” borrowing those terms from the GDPR. The VCDPA includes a requirement that organisations conduct data protection assessments, implement certain policies and procedures to ensure compliance. The VCDPA includes broad exemptions from coverage for certain classes of entities and types of data already covered by federal data protection laws.
Organisations will need to carefully assess whether their activities are covered by the VCDPA, and if they are, take steps to ensure they comply with it by 2023. The law applies to both U.S. and non-U.S. companies that process personal information of over 100,000 Virginia consumers, or that process information of over 25,000 Virginia consumers and also derive more than 50% of their revenue from the sale of this data.
• The VCDPA and CCPA apply to businesses under different circumstances, making it important for businesses to assess whether they fall within the Virginia law.
• Data controllers may be incentivised by the VCDPA’s exemptions to increase their use of pseudonymous data in order to avoid the obligation to comply with consumer requests and minimise their potential liability under the statute.
• The use of DPAs as a mechanism of ensuring that specific types of activities are conducted in a manner that maintains the security of consumers’ personal data is likely a development that will be incorporated into other states’ data protection regimes, and one that imposes a potentially significant burden on entities seeking to comply.
• Companies with strong GDPR and CCPA compliance programmes may enjoy a head start on ensuring compliance with the VCDPA but there are important differences between the regimes and compliance with VCDPA will require specific focus.
• The enactment of VCDPA suggests that there is momentum for other states to enact privacy legislation, such as Washington and New York who will soon pass their own data protection laws. This development will complicate the compliance obligations companies face in the US and may increase pressure to pass a comprehensive federal data privacy law to supersede and simplify the laws in this space.
The US legal system is a patchwork of laws that creates inherent risks and uncertainties for insurers providing coverages in that jurisdiction. The increase of state-level data protection laws will only increase the risk and exposure that insurance companies face and will make risk assessment and loss management more difficult to predict and manage. A Federal data protection law would go a long way to providing a universal framework that could be adopted state by state as this would provide significantly more clarification on standards, obligations, compliance and risk management. The reality is each state is its own island and rather than create certainty and consistency across the piste, the legal landscape will continue to develop in a fragmented way creating risk rather than certainty and clarity.