VCDPA Exemptions: List of Exempt Data
Any businesses conducting operations in Virginia or having residents of Virginia accessing their website are more than likely to be required to comply with the Virginia Consumer Data Protection Act 2021 (VCDPA).
There are, however, VCDPA exceptions as not all businesses are subject to the provisions laid out under the VCDPA.
In this article, we will take a close look at the VCDPA, when and why it was enacted, what it covers, who and what data is exempted, and what are your business considerations to ensure legal compliance, helping you to avoid any unnecessary and costly legal wrangles.
Let’s dive right in.
- The VCDPA legislation exists to protect the personal data of a Virginia data subject. The act sets out strict standards of corporate compliance for those obligated businesses in the manner that they collect, use, and store personal data. This may include sensitive personal data such as financial and health records.
- The act instructs organizations to be transparent about their data collection methods as well as giving consumers the right to control the use and deletion of their personal information.
- Not all companies are obligated to abide by the regulations as set out in the VCDPA. The act provides exemptions for certain businesses according to section 59.1-572 of the VCDPA. These include small businesses, financial institutions, health-related businesses, and more.
Virginia Consumer Data Protection Act Explained
The VCDPA, enacted on March 2, 2021, and made effective on January 1, 2023, sets in place consumers' rights, obligations for businesses, and penalties around any violation of consumer data privacy.
The VCDPA legislation exists to protect the data privacy of Virginia consumers. The act sets out strict standards for those obligated businesses to abide by in the manner that they collect, use, and store personal data, which may include sensitive personal data such as financial and health records.
The VCDPA applies to any for-profit company conducting business in Virginia that promotes their products and services to Virginia residents or controls or processes the personal information of 100,000 or more Virginia residents.
The act is also applicable to companies that process the personal data of at least 25,000 Virginia residents and where 50% or more of their gross revenue is derived from selling personal data.
The act instructs organizations to be transparent about their data collection methods as well as giving consumers the right to control the use and deletion of their personal information. The requirements as set out by the VCDPA for company data controllers, unless they qualify for an exemption, obligate controllers to:
- Only collect necessary and relevant data. The VCDPA rights provided to consumers are similar to the CCPA and the EU General Data Protection Regulation (GDPR) that were in place before the VCDPA, which limits the quantity of data collected, helping to further protect consumers against any data threats such as online hacking and theft. The purpose of any data collection must be disclosed to the consumer.
- Allow opting out by establishing one or more secure, accessible, reliable and easily accessible means for a submission request by consumers to exercise their consumer rights and opt-out.
- Having data security means that controllers must also create and implement data protection practices allied with a data protection assessment process, ensuring the confidentiality, integrity, and accessibility of personal information.
- Don't discriminate through the use of profiling via any automated process for evaluation purposes of a person's health, economic situation, personal preferences, interests, reliability, behavior, location, or movements. A data subject has the right to opt out of profiling.
- Be mindful of sensitive data processing. A business must be given consent before processing a consumer's VCDPA sensitive data. The law defines "sensitive data'' as personal information that reveals a person's religious beliefs, race, ethnic origin, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status. Personal data also includes data from a child under 13 years of age, any genetic or biometric data that has been processed to identify an individual and any precise geolocation data.
- Provide a privacy notice to consumers that is reasonably accessible, clear, and meaningful and explains what data is to be collected and the reason for the data processing. Any notice must explain how consumers can exercise their rights, including their right to appeal. This means controllers must share their contact information. The notice must also detail whether the company shares any of the collected data from a data subject with third parties.
- Have third-party data processing agreements that detail any agreements in place with third-party data processors that clearly communicate instructions for the processing of data, the nature and purpose of data processing, the type of data that is subject to processing, the duration of the data processing, and the rights and obligations of all parties involved.
- Conduct data protection assessments that require controllers to conduct a procedure known as "data protection assessments" to evaluate the risks associated with a company's data processing activities.
Non-compliance with the VCDPA by a company will result in significant penalties being imposed as enforcement mechanisms have been provided for in the act. We will cover administrative recourse for any violation of the provisions in more detail in this article.
Does the VCDPA Have Exemptions?
Not all companies are obligated to abide by the regulations as set out in the VCDPA. The act provides exemptions for certain businesses according to section 59.1-572 of the VCDPA.
Although there are many businesses that do qualify for exemption from legislated compliance to the VCDPA, it is important to first establish if your business or the personal data your business collects is exempt from complying with this act.
The business and industry entities that may be exempt are categorized by two main factors: entity-level exemptions and data-level exemptions. Exemptions are applicable based on the purpose of these organizations and allow for ease of data processing.
VCDPA Exemptions for Organizations
Business entities that may be exempt from the VCDPA include those falling under the category of entity-level organizations that collect and store consumer data. Five main types of entity-exempt organizations are identified under the VCDPA.
There are small businesses that do not control or process the personal data of less than 25,000 or more consumers during a calendar year if less than 50 percent of their gross revenue is derived from the sale of personal data.
Small businesses that control or process the personal data of less than 100,000 consumers with very little data sold are also exempt from abiding by the obligations of the act since they do not meet the threshold requirement for data.
Any financial business is subject to Title V of the federal Gramm-Leach-Bliley Act. Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA) governs how nonpublic personal information about consumers is handled by financial institutions.
These regulations ensure that financial institutions meet the requirements to protect the privacy of consumers' personal financial information.
Since they are subject to the GLBA requirements that are as strict or stricter than the VCDPA requirements, they are exempt from the VCDPA.
Health Related Businesses
Businesses governed or associated with other companies who fall under provisions of the Health Insurance Portability and Accountability Act ( HIPAA) are obligated to abide by the act's privacy, security, and breach notification rules.
The HIPAA of 1996 is a federal law that created national standards to prevent patient health information of a sensitive nature from disclosure without the patient's consent or knowledge.
There are many non-profit organizations, such as religious organizations, children's homes, foster homes, and animal protection organizations, that are exempt from the requirements of the VCDPA. However, entities like children's homes are subject to other federal laws, and personal data is covered under laws like the Children's Online Privacy Protection Act (COPPA)
COPPA imposes obligations for the operators of websites or any online services targeting children younger than 13 years of age.
Higher Education Institutions
Places of learning that offer post-secondary education, such as colleges or universities, are exempt from the requirements of the Privacy Act.
Virginia State Agencies
Any Commonwealth of Virginia or political subdivision of the commonwealth body, authority, board, commission, district or agency will be exempt.
There are dozens of Virginia state institutions that are not under the scope of the privacy act, such as the Department of Education, Library of Virginia and Department of Health Professions.
VCDPA Exemptions for Data
The VCDPA also provides for data-level exemption where certain data categories are outside the applicability of the privacy act. There are 14 types of exempt personal information, including:
- Employee records
- Health information of individuals protected under the Health Insurance Portability and Accountability Act (HIPAA)
- Personal information under regulations of the Family Educational Rights and Privacy Act (FERPA)
- Personal data from credit reports regulated by the federal Fair Credit Reporting Act (FCRA)
- Vehicle driver information, regulated by the federal Driver's Privacy Protection Act of 1994
- Information and data are subject to Title V of the Gramm-Leach-Bliley Act, which largely regulates banks and financial institutions.
Penalties for Non-Compliance with the VCDPA
The Virginia attorney general (AG) has exclusive authority to enforce Virginia privacy laws. However, prior to initiating an action, the AG must give the controller or processor 30 days' written notice identifying what specific provisions have allegedly been violated.
If the controller cures the noticed violation within the 30-day period, providing the AG with the prerequisite written statement advising the curing of the alleged violations and that no further violations shall occur, then no action shall be initiated against the controller or processor.
Any continuation of a violation of the VCDPA or breach of the express written statement will allow the AG to initiate an action in the name of the Commonwealth. The AG may seek an injunction to restrain any violations of the VCDPA, with civil penalties ranging up to $7,500 for each violation will be applicable.
With the seemingly overwhelming amount of information available regarding data privacy law in the USA and the globe, businesses face continuous challenges of ensuring compliance across different markets with updated data privacy laws, and those businesses obligated to abide by the Virginia Privacy Act also keep up with VCDPA amendments.
Those businesses that process personal and sensitive consumer data need to ensure complete compliance with every section of the law to avoid expensive civil penalties. With this in mind, the next step should be to create plans to implement processes and proper controls to comply with the VCDPA’s updating laws.
My business is located in Richmond, Virginia. Do I need to worry about sharing my customer's data?
Yes, as your business is located in the state of Virginia, the VCDPA is applicable to you if you process over 100,000 Virginian’s data or process sensitive data that is not exempt.
May a data controller collect any personal information?
No, they may only collect necessary and relevant data. And the purpose of any data collection must be disclosed to the consumer.
We belong to a non-profit organization and run a foster home. Must we comply with the VCDPA?
No, as the act provides exemptions for certain entities, including non-profit organizations.
Who enforces the privacy act in Virginia?
The attorney general of the Commonwealth of Virginia has exclusive authority to enforce the VCDPA.