USA - Virginia: Doing Business in Jurisdiction

Applicability of Data Protection Law in Virginia to Organizations Doing Business in the Jurisdiction

The factor of "doing business in the jurisdiction" is essential in determining the applicability of the Virginia Consumer Data Protection Act (VCDPA). It ensures that entities with a commercial presence or that produce products or services targeted at Virginia residents are subject to the state's data protection regulations.

Text of Relevant Provisions

VCDPA para. 59.1-576(A):

"A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that(i) during a calendar year, control or process personal data of at least 100,000 consumers or(ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data."

Analysis of Provisions

The Virginia Consumer Data Protection Act (VCDPA) utilizes the "doing business in the jurisdiction" factor to outline its scope of applicability. According to VCDPA para. 59.1-576(A), the law applies to entities that either conduct business in Virginia or produce products or services specifically targeted at Virginia residents.

The criteria for applicability include:

Conducting business in the Commonwealth.
Producing products or services targeted at residents of the Commonwealth.
Additionally, the entity must either:
- Control or process personal data of at least 100,000 consumers during a calendar year, or
- Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

This dual threshold ensures that the VCDPA covers significant data processing activities, either by volume (number of consumers) or by business model (revenue derived from data sales).

The rationale for including this factor is to ensure that entities engaging significantly with Virginia residents are held accountable for data protection, regardless of whether they have a physical presence in the state. This approach protects consumers by extending the law's reach to any business substantially interacting with the state's residents.

Implications

For Businesses and Data Processors:

Broad Applicability: Entities conducting business in Virginia or targeting products or services to Virginia residents must comply with the VCDPA if they meet the specified thresholds.
Comprehensive Coverage: The law encompasses both high-volume data controllers/processors and those deriving substantial revenue from data sales.
Regulatory Obligations: Businesses must implement measures to protect personal data, including compliance with the VCDPA's data processing and sales restrictions.

Case Examples:

A national e-commerce company that markets its products to Virginia residents and processes personal data of over 100,000 consumers must comply with the VCDPA.
A data analytics firm that processes data of at least 25,000 Virginia residents and earns more than 50% of its revenue from selling personal data is subject to the VCDPA.

By defining the applicability of the VCDPA based on "doing business" and targeting products or services to Virginia residents, the law ensures comprehensive data protection coverage, enhancing consumer privacy and security within the state.

Jurisdiction Overview

USA - Virginia

🏛️ Government and Public Agency Exemption 🎓 Higher education institution 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction 🎯 Exemption for Specific Purposes of Processing ⚖️ Sectoral Exceptions Regulated by Other Laws 💵 Revenue-Based Applicability 🧮 Number of Data Subjects ⛑️ Nonprofit Organization Exemption 💼 Doing Business in Jurisdiction 👴🏿 Benefit administration data 👷🏿 Employment and Agency Relationship Exemption