The Virginia Consumer Data Protection Act (VCDPA) uses the factor of "Offering Goods and Services to Data Subjects in Jurisdiction" as one of the criteria for determining the law's applicability to businesses operating in or targeting Virginia residents.

Text of Relevant Provision

VCDPA § 59.1-576(A) states:

"A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data."

Analysis of Provisions

The VCDPA's scope of applicability is determined by two main factors:

1. Business presence: "conduct business in the Commonwealth"
2. Targeting residents: "produce products or services that are targeted to residents of the Commonwealth"

The second factor directly relates to offering goods and services to data subjects in Virginia. This provision extends the law's reach beyond businesses physically located in Virginia to those that intentionally target Virginia residents with their products or services.

The law also includes threshold requirements for the number of consumers whose data is processed and the percentage of revenue derived from data sales. These thresholds serve to limit the law's application to businesses of a certain size or those significantly engaged in data-related activities.

Implications

The inclusion of this factor has several implications for businesses:

• Extra-territorial effect: Companies outside Virginia may still be subject to the VCDPA if they target Virginia residents with their products or services.
• Intentional targeting: Businesses need to assess whether their activities constitute "targeting" Virginia residents. This could include:
• Marketing campaigns specifically aimed at Virginia
• Offering Virginia-specific products or services
• Using Virginia-specific language or currency on websites
• Threshold considerations: Even if a business targets Virginia residents, it must meet the consumer data processing thresholds to fall under the law's scope:
• Processing data of at least 100,000 Virginia consumers annually, or
• Processing data of at least 25,000 Virginia consumers and deriving over 50% of gross revenue from personal data sales
• Compliance assessment: Businesses operating outside Virginia need to evaluate their activities and determine if they fall under the VCDPA's jurisdiction, potentially requiring them to implement compliance measures.
• Strategic decisions: Companies may need to consider whether to continue targeting Virginia residents or adjust their practices to avoid falling under the VCDPA's scope.

This approach aligns with other modern data protection laws, such as the EU's GDPR, which also consider the targeting of residents as a factor for determining applicability. It reflects the legislator's intent to protect Virginia residents' data rights regardless of where the data controller or processor is located, acknowledging the global nature of digital services and data processing activities.