Applicability of the Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023, establishes its scope of applicability through a combination of material and territorial factors. Below is a detailed analysis of the law's applicability, including specific provisions and their implications.

Material Applicability Factors

The material applicability of the VCDPA is determined by thresholds related to data processing activities, exemptions for certain entities and data types, and sector-specific exclusions.

1. Number of Data Subjects

• Relevant Provision:

  § 59.1-576(A)(i):

  "This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers."

• Analysis:

  This provision sets a threshold requiring businesses to process personal data for at least 100,000 consumers annually to fall under the VCDPA. It ensures that the law applies primarily to entities with significant data processing activities.

2. Revenue-Based Applicability

• Relevant Provision:

  § 59.1-576(A)(ii):

  "This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data."

• Analysis:

  This provision targets businesses deriving more than 50% of their gross revenue from selling personal data while processing data for at least 25,000 consumers annually. This ensures that even smaller entities with data-centric revenue models are subject to regulation.

3. Sectoral Exceptions Regulated by Other Laws

• Relevant Provisions:

  • § 59.1-576(B): Exempts entities such as financial institutions governed by the Gramm-Leach-Bliley Act (GLBA) and healthcare entities subject to HIPAA.
  • § 59.1-576(C): Exempts specific types of data already regulated under federal laws like HIPAA, FERPA, and FCRA.

• Analysis:

  These exemptions prevent duplicative regulation for sectors already governed by stringent federal privacy laws.

4. Nonprofit Organization Exemption

• Relevant Provision:

  § 59.1-576(B)(iv):

  "This chapter shall not apply to any nonprofit organization."

• Analysis:

  Nonprofits are entirely exempt from the VCDPA, reducing compliance burdens on entities focused on public service rather than commercial profit.

5. Higher Education Institution Exemption

• Relevant Provision:

  § 59.1-576(B)(v):

  "This chapter shall not apply to any institution of higher education."

• Analysis:

  Universities and colleges are exempt due to existing regulations like FERPA governing student privacy.

6. Employment and Benefits Data Exemption

• Relevant Provision:

  § 59.1-576(C)(14):

  "Data processed or maintained (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor... (iii) necessary to retain to administer benefits for another individual."

• Analysis:

  Employment-related data and benefits administration data are excluded when processed within these contexts.

Territorial Applicability Factors

The VCDPA applies based on whether an entity conducts business in Virginia or targets Virginia residents with goods or services.

1. Offering Goods and Services to Virginia Residents

• Relevant Provision:

  § 59.1-576(A):

  "This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth."

• Analysis:

  Businesses outside Virginia must comply if they intentionally target Virginia residents through marketing or tailored offerings.

2. Doing Business in Virginia

• Relevant Provision:

  Same as above (§ 59.1-576(A)).

• Analysis:

  Entities physically operating in Virginia must comply if they meet consumer volume or revenue thresholds.

Conclusion

The VCDPA applies to businesses based on thresholds related to consumer volume and revenue derived from personal data sales while exempting certain sectors, nonprofits, higher education institutions, and employment-related data processing activities. The law also extends extraterritorially to entities targeting Virginia residents with goods or services.