Applicability of Virginia Consumer Data Protection Act Based on Number of Data Subjects

The factor "Number of Data Subjects" is explicitly used in the Virginia Consumer Data Protection Act (VCDPA) to determine the scope of the law's applicability. This factor sets thresholds for the number of consumers whose personal data is controlled or processed, thereby impacting whether a business is subject to the VCDPA regulations.

Text of Relevant Provisions

Referenced Provision(s):

"VCDPA para.59.1-576(A)(i) A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or"

"VCDPA para.59.1-576(A)(ii) A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data."

Original (Language):

"VCDPA para.59.1-576(A)(i) A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or"

"VCDPA para.59.1-576(A)(ii) A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data."

Analysis of Provisions

The Virginia Consumer Data Protection Act (VCDPA) uses specific thresholds to determine the applicability of its provisions based on the number of data subjects whose personal data is controlled or processed by a business.

Breakdown and Explanation:

• VCDPA para.59.1-576(A)(i):
  • "control or process personal data of at least 100,000 consumers": This clause sets a threshold that requires a business to control or process personal data for at least 100,000 consumers within a calendar year to be subject to the VCDPA.
• VCDPA para.59.1-576(A)(ii):
  • "control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data": This provision applies to businesses that control or process the personal data of at least 25,000 consumers and derive more than 50% of their gross revenue from selling personal data. This dual criterion captures entities with significant data processing activities and a revenue model reliant on data sales.

Implications

Implications for Business:

• Scope Limitation: The VCDPA’s applicability thresholds exclude smaller businesses that do not meet the 100,000 or 25,000 consumer thresholds, focusing regulatory efforts on larger entities or those heavily involved in data trading.
• Targeted Compliance: Companies approaching or exceeding these thresholds must invest in compliance infrastructure to align with the VCDPA requirements. This includes implementing robust data protection practices, consumer rights management, and transparent data handling procedures.
• Revenue Model Consideration: Businesses deriving substantial revenue from the sale of personal data (over 50% of gross revenue) are specifically targeted by para.59.1-576(A)(ii). This means that even smaller entities with a heavy reliance on data sales must comply with the VCDPA if they meet the 25,000-consumer threshold.

Examples:

• Applicable: A large online retailer operating in Virginia that processes personal data of 120,000 consumers annually is subject to the VCDPA.
• Not Applicable: A small local service provider processing data for 20,000 consumers annually without significant revenue from data sales remains outside the scope of the VCDPA.

These thresholds ensure that the law targets entities with significant data processing activities or business models heavily dependent on data, thereby focusing regulatory oversight where it is most needed.