Virginia Jurisdiction: Revenue-Based Applicability in the Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) applies to businesses based on specific thresholds related to the control or processing of personal data and the proportion of revenue derived from the sale of such data. The revenue-based applicability factor is a critical component in defining the scope of this law.

Text of Relevant Provisions

VCDPA para.59.1-576(A)(ii):

"A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data."

Original (Language):

"A. This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data."

Analysis of Provisions

• VCDPA para.59.1-576(A)(ii) establishes that the law applies to entities that not only process or control the personal data of at least 25,000 consumers but also derive more than 50% of their gross revenue from the sale of this personal data. This provision targets businesses whose primary income stream is dependent on the monetization of personal data.
• The inclusion of a specific revenue threshold (over 50% of gross revenue from data sales) alongside the consumer data threshold (25,000 consumers) serves a dual purpose:
  • It ensures that companies that heavily rely on selling personal data, even if they are not large in terms of total revenue, are still subject to the law.
  • It captures smaller entities that might otherwise fall outside the scope of the law due to their overall size but pose significant privacy risks due to their business models.
• This provision is designed to regulate entities that might otherwise evade regulation due to their smaller size but have significant impacts on consumer privacy through their data-centric business models.

Implications

• For Businesses: Companies operating in Virginia that derive substantial revenue from the sale of personal data must be vigilant in their data protection practices. Even if they do not meet the broader threshold of controlling or processing data for 100,000 consumers, their revenue model could still bring them under the VCDPA’s purview.
• For Data-Driven Enterprises: This factor emphasizes the need for transparency and compliance for businesses whose profitability hinges on selling personal data. They must align their data practices with the VCDPA’s requirements to avoid legal exposure.
• Compliance Considerations: Companies approaching or surpassing the 50% revenue threshold from data sales must assess their data processing activities and revenue sources to determine whether they fall within the VCDPA’s scope. This analysis will be crucial for avoiding inadvertent non-compliance and the associated penalties.