The Virginia Consumer Data Protection Act and Categories of Personal Data

In March 2021, Virginia passed the Virginia Consumer Data Protection Act (“VCDPA”) which becomes effective January 1, 2023. The VCDPA uses language similar to other comprehensive state privacy regulation, and for that reason, we can examine and clarify some of the terms used in the VCDPA.

The VCDPA obligates covered controllers to, among other things, notify Virginia consumers of the categories of personal data processed by the controller. This statement entails two important parts: first, that the entity is subject to the VCDPA; and second, that the entity is the controller of personal data.

The VCDPA has several elements and exemptions that entities must consider when determining whether they are subject to the VCDPA. We will be providing a survey for users to complete to assist them with determining their exposure to the VCDPA. When this survey is completed, we will update this article with a link.

The VCDPA, like other comprehensive privacy regulation, determines obligations for businesses based on their status as a controller or a processor. The VCDPA obligates controllers to provide Virginia consumers with a privacy notice. It is within this privacy notice that users must be informed of the categories of personal data collected by the controller.

Categories of Personal Data

To understand the “categories of personal data processed by the controller” privacy notice requirements for the VCDPA, it helps to briefly review the history of privacy regulation in the United States. In 2018, the European Union implemented the General Data Protection Regulation (“GDPR”) which updated prior European privacy law passed in 1995. The GDPR has been used as a model for some state privacy laws in the United States. The California Consumer Privacy Act (“CCPA”) which came into effect on January 1, 2020, was modeled in part after the GDPR. Which brings us, finally, to the VCDPA.

The VCDPA shares a substantial number of similarities with the CCPA and by extension, the GDPR. These similarities are important because we can review these prior laws to look for helpful guidance on VCDPA terms. It is important to note that while this guidance may be helpful, it does not mean that these other laws control the interpretation of the VCDPA. On a federal level, the GBLA and HIPAA are relevant because the Virginia privacy regulation provides carve outs to make sure that in some cases, the Virginia regulation does not conflict with federal law.

The text of the VCDPA does not provide specific examples of what constitutes categories of personal data. As a result, controllers may be reasonably concerned about what to include in their privacy notice to inform users, but not overburden or confuse them with too many categories.

The VCDPA also specifically describes categories of “sensitive data.” The concept of sensitive data is common in privacy law and generally refers to a category of information which receives special protection under the relevant regulation. For Virginia, sensitive data includes: 1. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 2. the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; 3. the personal data collected from a known child; or 4. precise geolocation data. Sensitive data is particularly important for businesses as it may trigger a requirement to conduct a data protection assessment. The concept of data protection assessment can also be found in the GDPR. The substantial obligations associated with a data protection assessment mean that such assessments may be particularly burdensome for businesses that don’t necessarily need to process sensitive data.

Conclusion

Categories of personal data is often a daunting topic for a business attempting its first, second or third privacy notice. A comprehensive understanding of all relevant privacy law and experience in drafting privacy notices makes the drafting process manageable.

Businesses looking to draft their own privacy notice should consider reviewing the GDPR and CCPA, as well as associated guidance from government bodies, to ensure that their privacy notice is adequate. Additionally, businesses need to understand the rapid pace of change in the privacy sector and continuously monitor relevant developments.

While these businesses do not need to work blindly when drafting a responsive privacy notice, there is significant risk in attempting to draft a privacy notice without substantial experience. Businesses should consider that while they may properly address known obligations when drafting their privacy, this does not mean that they have addressed all relevant obligations. As privacy regulation constantly evolves, there are numerous facets to understand and properly apply. It often pays dividends to rely on a knowledgeable partner to maintain privacy compliance.

About

All Terms is dedicated to helping all business types generate and maintain privacy compliance. Our tools were developed based on years of legal working assisting businesses with their privacy needs. We know that privacy compliance is a ongoing task. We've leveraged our experience to lower the costs of generating privacy documents by automating the generation process. Our years of experience in the legal field have exposed the limitations of having an attorney or a team of attorneys ensure accurate and continuous compliance. So we've leveraged technology to make sure that you have access to afffordable, continuous, and available tools to maintain compliance.