Three recently approved amendments to the Virginia Consumer Data Protection Act offer business-friendly tweaks that solidify the law ahead of its Jan. 1, 2023, effective date.
The amendments—which add an exemption to the law’s right to delete, modify its definition of nonprofit, and alter the funding structure for enforcement—were approved by
While the changes offer clarity for privacy professionals, questions remain over the prospect of future amendments as California and Colorado launch into rulemaking under their respective privacy laws, attorneys say.
The VCDPA was signed into law by former Gov. Ralph Northam (D) in March 2021, making it the second U.S. state, after California, to pass comprehensive consumer privacy legislation. Colorado passed its privacy law in July 2021, and Utah greenlit its state’s measure in March.
“These updates are business-friendly, and that’s been the consensus with the Virginia law—that it’s more business-friendly than laws in Colorado and California,” said Ali Jessani, a senior associate at Wilmer Cutler Pickering Hale and Dorr LLP in Washington, D.C. “It makes companies’ obligations a little less onerous.”
The changes don’t radically alter how companies should prepare for VCDPA compliance, but they provide clarity on topics that had been raised after the law passed, said Greg Szewczyk, a partner at Ballard Spahr LLP in Denver.
“These are significant in the sense that the VCDPA is now done in terms of what it’s going to look like when it takes effect,” Szewczyk said. “It’s nice to have some finality.”
Work Group Output
The amendments were inspired by the Virginia Consumer Data Protection Work Group, which met six times over the course of 2021.
Unlike California, Virginia does not have a standalone privacy regulator tasked with promulgating regulations for the law. Instead, lawmakers floated amendments based in large part on recommendations from the Joint Commission on Technology and Science’s final report released in November.
“The working group gave people a chance to express their concerns, and the amendments that resulted are fairly narrow,” said Samantha Sedivy, an associate at Reed Smith LLP in Richmond, Va. “Their approach was methodical, and the votes were overwhelmingly bipartisan.”
The amendment to the right to delete pertains to times when companies obtain consumer personal data from a source other than that person. It states that in those circumstances, the company will be considered in compliance with the law by either retaining a record of a consumer’s deletion request or opting the consumer out of the processing of their personal data except for in exempted purposes.
Another amendment adds political organizations to the definition of “nonprofit organizations,” which are exempt from the law’s requirements.
Youngkin also greenlit an amendment that repeals creation of the Consumer Privacy Fund that would have housed civil penalties from enforcement, switching the repository to the existing Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. It stipulates that penalties, expenses, and attorney fees from enforcement be deposited into the state trust fund.
That change, instituted so the attorney general wouldn’t have to wait for funds to begin enforcement, doesn’t affect companies’ obligations under the law, Sedivy said.
Which further amendments, if any, Virginia legislators choose to push next year will likely depend on what other states do—including upcoming regulations from the California Privacy Protection Agency and future rules from
“The Virginia law is pretty good to go at this point, but it may change depending on how other states and the Federal Trade Commission act,” Smoyer said. “Changes to other laws or new rules could trigger Virginia’s legislature to restart the amendment process.”
Virginia legislators may adopt amendments next year centered around universal opt-out signals, which is a topic for rulemaking under the California Privacy Rights Act, Szewczyk said. The VCDPA doesn’t in its current form require businesses to respect opt-out preference signals, but the working group report recommends that they honor a global opt-out setting selected by consumers.
Organizations, even those exempted from the VCDPA’s requirements, should consider best practices and using the law as a guide, said Cassandra Gaedt-Sheckter, a partner at Gibson, Dunn & Crutcher LLP in Palo Alto, Calif.
Nonprofits and other exempted entities can use data protection laws as inspiration for good cyber hygiene, and that may prove useful as additional jurisdictions impose privacy and cybersecurity statutes, she said.
“Companies need to be thinking holistically about best practices and transparency,” Gaedt-Sheckter said. “They should consider overall risks in how they deal with data, and not just one law in particular.”