What is the Virginia Consumer Data Protection Act (VCDPA)?

Addressing concerns about data privacy is more important today than ever before, and data protection laws have become reasonably necessary all over the world.

For example, the General Data Protection Regulation (GDPR) protects personal data privacy across the European Union.

Meanwhile, the United States still hasn’t enacted any data protection regulation law at the federal level. There are, however, some laws that exist at the state level.

The most famous are both the California Consumer Privacy Act (CCPA) which went into effect January 1, 2020, and the California Privacy Rights Act (CPRA) which amends and expands the CCPA, and took effect on January 1, 2023.

Another state-wide data privacy act is the Virginia Consumer Data Protection Act (VCDPA).

This act was signed into law in March of 2021 by former governor Ralph Northam and went into effect on January 1, 2023.

In the interim, in April of 2022, current Virginia governor Glenn Youngkin approved certain amendments to the act ahead of the VCDPA effective date.

In our article, we’ll review both the VCDPA itself and the amendments that were added in before the law took effect.

We’ll also explore the penalties businesses may expect to receive if found to be in violation of the act, and take a look at the extent, if any, of how PandaDoc is affected by these changes.

Here we go!

What is VCDPA?

As we mentioned above, the Virginia Consumer Data Protection Act is a comprehensive data privacy law that went into effect throughout that state at the beginning of 2023.

Many experts believe that the VCDPA, rather than the California Consumer Privacy Act (CCPA), could serve as a basis for designing a nationwide data privacy protection law.

Here are the key provisions of VCDPA:

• Сonsumers have the right to access, correct, obtain a copy of, or opt out of their personal data.
• Businesses must provide transparent and accessible privacy notices.
• Personal data should only be used for the purposes specified at the time of its collection. Its amount must be minimally required for fulfilling the collecting purposes.
• Companies must conduct risk assessments for any data processing activities they run.
• Companies must implement sufficient security measures in order to eliminate the possibility of unauthorized access, use, or disclosure of personal data.

VCDPA basic concepts, terms, and definitions

Let’s start with some important terms.

Understanding them in full helps keep everything crystal clear about this important legislation.

Consumers

Consumers are natural persons residing within the controlled area (officially: the Commonwealth of Virginia) and are acting only in an individual or household context (not acting in the context of any commercial or employment activities).

Controllers and processors

This aspect of data collection is broken down into two categories (types of persons handling data):

A controller means a legal or natural person who determines the purpose of personal data processing and the corresponding means by which it is processed.

A processor is a legal or natural person who processes personal data on behalf of the controller.

Children and children’s data

Within the VCDPA act, children are natural persons 13 years old and younger.

When processing children’s personal data obtained online, the controller must act in accordance with another regulative act called Children’s Online Privacy Protection Act (COPPA).

Sensitive data

The part of act describes categories of data that must be considered sensitive (and handled as such):

• Personal data that reveals ethnic or racial origin
• Children’s data
• Precise geodata (with a geo point radius that equals to or is less than 1,750 feet)
• Biometric or genetic data used for person detection
• Citizen or immigrant status
• Mental and physical health information
• Personal religious preferences
• Gender identity preferences and sexual activity
• Health records.

Limitations of usage

VCDPA has usage limitations tied to different factors. You can see a list of them below.

• The act isn’t applicable to protected health information (regulated by the Health Insurance Portability and Accountability Act (HIPAA)).
• The same holds true for the Family Educational Rights and Privacy Act (FERPA) and educational records, as well.
• Nonprofits, state agencies, colleges, and universities.
• Subjects to Title V of the Gramm-Leach-Bliley Act (GLBA) — banking and financial organizations dealing with the non-public personal information of their customers.
• Residents of Virginia aren’t allowed to sue directly those accused of law violations.

What are the differences between VCDPA, CCPA/CPRA, and GDPR?

While the VCDPA is similar to both the CCPA (CPRA) and GDPR in many respects, there are distinctions, the most obvious being the jurisdictions they cover.

For comparison, we’ve gathered all the significant differences in the table below.

Factor	VCDPA	CCPA/CPRA	GDPR
Jurisdiction the act applies to	Virginia, USA	California, USA	European Union, European Economic Zone Area
Applicability	Businesses that control or process personal data of 100,000+ Virginian residents; Businesses that control or process personal data of 25,000 Virginian residents + derive over 50% of their gross revenue from the sale of personal data	Businesses that buy or sell personal data of 100,000+ Californians, or derive 50% or more of their annual revenue from selling + have a gross annual revenue of more than $25 million	Businesses of any size that process personal data of EU individuals
Personal data definition	Any information that can be linked to an individual or a household	Any information that can be linked to an individual	Any information relating to an identified or identifiable natural person
Consumer rights	Access/delete personal data Opt out the sale of personal information Opt out targeted ads and profiling Correct inaccuracies	Access/delete personal data Correct inaccuracies Limit sensitive personal information Opt out the sale of personal information Data portability right	Access/rectify/delete personal data Restrict or object to the processing of personal data Being informed about processing Data portability right
Data protection assessments	Covered businesses must conduct and document data protection assessments for certain activities	—	Must conduct Data Protection Impact Assessments (DPIAs) for risky cases Must appoint a Data Protection Officer (DPO) in certain cases
Enforcement	No private right of action	Limited private right of action	Enforced by national Data Protection Authorities (DPAs), who can investigate and punish for noncompliance
Penalties system	More straightforward (see the details below in special article block)	Multi-tiered and more flexible	Up to €20 million or 4% of the annual turnover

All the changes of VCDPA that came into action in 2023

Now, let’s take a more detailed look at the important aspects of VCDPA in terms of its last major modifications.

The revisions were released as three amendment bills covering these changes.

The right to delete is replaced with the opt out option

Initially, the VCDPA offered consumers the right to claim the deletion of their personal data, even in cases where the data was collected from any third-party source rather than from the consumer themselves.

The first major amendment to the law replaced the right to delete with the right to opt customers out of processing their personal data by data brokers.

This makes sense due to the fact that once-deleted personal data may be then recollected from indirect sources without being aware that the violation happened.

In other words, the law grants data brokers an opportunity to process all the data they have that cannot be attributed to any person explicitly prohibiting its processing.

The same rules are also set for pseudonymous data, which can be processed without limitations.

In sum, opting consumers out means that if the data brokers are in possession of original (non-public) consumer data where a verified request is on record to not to process it, the brokers are then prohibited from doing so.

Definition of “nonprofit” changes

The second amendment bill signed by the governor covers the definition of nonprofit organizations affected by the VCDPA.

The definition has become wider to include political organizations as well. In the same way as before, all the nonprofits are out of the VCDPA’s applicability.

New penalties’ accumulator and distributor

After signing the third amendment bill, the Consumer Privacy Fund — the location where all civil penalties and attorney’s fees were accumulated — was repealed.

The monies from penalties, expenses and fees are now held in a state treasury and funds are credited toward the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund for any penalty distribution purposes.

VCDPA penalties for businesses found violating it

Compared to California’s data privacy act, the VCDPA penalty structure is slightly different with respect to fees for noncompliance.

The process of enforcement looks as follows:

1. Once noncompliance is detected or alleged, the Virginia Attorney General must issue and deliver a violation stating as much to the named business. No other legal action occurs at this time.
2. The alleged violator of the VCDPA has 30 days from the date of delivery to fix the violations and send a written statement stating that the fix has been completed and that the company won’t violate the privacy act in the future. If this condition is found to be sufficiently met, no fines will be applied.
3. For businesses that are deemed to have not met the condition, a fine per single infringement could be up to $7,500, without differentiation by intention. CCPA, by comparison, differentiates intentional infringements (up to a $7,500 fine per each infringement) from unintentional ones (up to a $2,500 fine).

As you can see, the penalties in VCDPA, when compared with the European GDPR, are much less severe.

GDPR sets the most severe fines for noncompliance at up to 20 million Euros or 4% of annual revenue, whichever is higher.

These totals are manifold larger than anything likely to be imposed on American companies operating in Virginia or California.

How PandaDoc is affected

The number of PandaDoc’s corporate customers has just surpassed 50,000.

This means that the number of individual users of the software is continuing to grow.

But it’s safe to say that the company hasn’t currently been affected by the VCDPA law.

Let’s take a look at the reasons to justify why that’s the case:

• The company’s headquarters are located in San Francisco. Simply put, this is California, not Virginia.
• Since the global total of PandaDoc customers is now tabulated to be 50,000, it is highly unlikely that half of them (25,000) are located in the state of Virginia (as noted above, one of the applicability thresholds for VCDPA is “Businesses that control or process personal data of 25,000 Virginian residents + derive over 50% of their gross revenue from the sale of personal data”).
• PandaDoc doesn’t sell any personal data and doesn’t receive any revenue from it.

So, the response to “How PandaDoc is affected (by the VDCPA)” is very straightforward: PandaDoc is in no way being affected by the VCDPA act.

Staying VDCPA complaint with PandaDoc

However, as an efficient document management system, PandaDoc can play a crucial role in helping businesses stay compliant with the VCDPA.

Let’s take a look at the possible ways the software platform can help.

1. PandaDoc offers various integrations with third-party cloud storage services like Box, Dropbox, Google Drive, etc. It makes it easier to locate, access, and process consumer information in accordance with the VCDPA’s requirements.
2. Smart document organization allows you to locate and manage VCDPA-affected documents easier.
3. Sharing documents with collaborators and employing an advanced role-based access system helps ensure that only authorized personnel have access to personal data.
4. PandaDoc’s powerful security features are aimed at maintaining the necessary level of data security as required by the VCDPA.
5. You can create and maintain your VCDPA-complaint privacy policy using our free privacy policy template.

Conclusion

As we learned today, VCPDA is a state-wide law aimed at personal data protection in Virginia.

The act has similarities to both the European GDPR and Californian CCPA/CPRA.

The main purpose of VCPDA is the prevention of episodes of consumer data privacy infringement, and accountability should infringement occur.

The last batch of changes was added to VCPDA in 2022 and came into force on January 1, 2023.

The VCDPA penalty system is slightly less harsh than CCPA/CPRA and much less severe than GDPR.

With the 30-day safe period, the companies have enough time and resources to eliminate infringements and avoid penalties.

Finally, PandaDoc, thanks to its structure, occupation, HQ location and business model, is not subjected to, nor affected by, the focus of the VCDPA.

That said, the PandaDoc platform can help you and your team build and maintain a secure and fully compliant VCDPA privacy policy.

By the way, what about safe and non-committing check of the fit between PandaDoc and your needs? Just sign up for a free 14-day trial and see for yourself!

Frequently asked questions

• What is the effective date of VCDPA?

  The Virginia Consumer Data Privacy Act was signed into law in March 2021, significantly changed in April 2022, and finally went into effect on the first of January, 2023.

• Who does the VCDPA apply to?

  The VCDPA applies to companies operating in Virginia. Either businesses that control or process personal data of 100,000+ Virginian residents, or businesses that control or process the personal data of 25,000 Virginian residents + derive over 50% of their gross revenue from the sale of personal data.

• What are the penalties for violating this act?

  Non-compliant businesses may face significant penalties, including fines of up to $7,500 per violation.

• Which exemptions does the VCDPA have?

  The act isn’t applicable for protected health information covered by HIPAA; educational records covered by FERPA; nonprofits, state agencies, colleges, and universities; banking and financial institutions processing personal information of their clients and subject to Title V of the Gramm-Leach-Bliley Act (GLBA).

• How are the businesses affected by the VCDPA?

  Since the 1st of March, 2023, applicable businesses must adhere to the provisions of the VCDPA to ensure the protection of personal data of Virginia residents.

Disclaimer

Parties other than PandaDoc may provide products, services, recommendations, or views on PandaDoc’s site (“Third Party Materials”). PandaDoc is not responsible for examining or evaluating such Third Party Materials, and does not provide any warranties relating to the Third Party Materials. Links to such Third Party Materials are for your convenience and does not constitute an endorsement of such Third Party Materials.