Compliance

VCDPA Sensitive Data: How to Protect it?

vcdpa sensitive data

Sensitive data or sensitive personal information is a special category of personal information that, if revealed, can cause even more harm to the individual than regular PI.

This is why every data privacy law emphasizes the requirements for this type of data for data controllers to follow.

In this article, we’ll explore the VCDPA sensitive data requirements and how to protect them under the Virginia Consumer Data Protection Act.

Key Takeaways

  • Virginia Consumer Data Protection Act applies to medium and large businesses that process data of Virginian residents or provide goods and services targeted at Virginia residents
  • VCDPA sensitive data are protected and have additional requirements for personal data, such as the obligation to obtain consent from the consumer before processing them
  • The Act considers the person’s racial or ethnic origin, sexual orientation, citizenship or immigration status, mental and health diagnosis, children data, religious beliefs, and precise geolocation data to be “sensitive data”

Virginia Consumer Data Protection Act Overview

The Virginia Consumer Data Protection Act (VCDPA) sets the rules and requirements businesses in Virginia must follow to safeguard their customers’ data when they are collecting, storing, using, or sharing it.

The VCDPA bill was signed into law in March 2021, thus becoming the second state (after California’s CCPA/CPRA in 2018) to have its privacy legislation. It later became effective on January 1, 2023.

The Act applies to any business located in Virginia, or that offers products and services to Virginia residents and:

  • Controls or processes the personal data of 100,000 or more consumers during one year or
  • Controls or processes the personal data of 25,000 or more consumers and earns a minimum of 50% of its gross revenue from the sale of that data

In case of non-compliance with the Virginia Consumer Data Protection Act, the Attorney General is authorized to first notify the data controller of the violation.

The controller then has 30 days in which to cure the violation and inform the AG of this. If they don’t, the Attorney General can file a civil lawsuit against the controller and demand penalties of up to $7,500 per violation.

Is Sensitive Data Under the Virginia Consumer Data Protection Act Protected?

Under VCDPA, sensitive data is protected and is subject to additional requirements compared to personal data.

More specifically, before processing sensitive data, the data controllers must first obtain the consumer’s consent, or if the data relates to a child under 13 years of age, then it must be processed according to the Children’s Online Privacy Protection Act (COPPA).

Types of VCDPA Sensitive Data That is Protected

Sensitive data or sensitive personal information (SPI) is a type of personally identifiable information (PII) that, if revealed and falls into the wrong hands, can potentially be used against its owner in harmful ways.

This includes information such as the person’s racial and ethnic origin, sexual orientation, political and philosophical beliefs, genetic or biometric data such as fingerprints, precise geolocation data like an IP address, and personal data of minors.

The VCDPA considers the following types of personal data as “sensitive”:

  1. A person’s racial and ethnic origin
  2. Sexual orientation
  3. Citizenship and immigration status
  4. Mental or physical health diagnosis
  5. Religious beliefs
  6. Genetic and biometric data (when they are used to uniquely identify a person)
  7. Personal data of children under 13 years of age
  8. Precise geolocation data

The law does not cover the following types of data:

  1. Health information that is protected by the Health Insurance Portability and Accountability Act (HIPAA)
  2. Health records
  3. Patient identifying information
  4. Other data sets that are already protected by the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), or other relevant federal laws as per the Code of Virginia.

VCPDA Sensitive Data Requirements

Sensitive data under the VCPDA requires your business to follow additional guidelines to ensure compliance with the law. Here are some requirements you must follow:

Explicit Consent

As mentioned above, VCDPA sensitive data processing is not allowed unless the data controller or processor has previously obtained explicit consent from the consumer.

Explicit consent means that the consumer must have clearly and unambiguously expressed their agreement to the processing of their sensitive dataimplied consent, pre-ticked boxes or inactivity should not constitute consent.

When consenting, it must include an explanation of how the data collected will be used, any potential risks associated with its use, and a description of all services provided by the business.

Data Protection Assessments

Businesses are required to conduct data protection assessments for any processing activities involving sensitive data. This assessment should identify and evaluate the potential risks associated with collecting, storing, and using this type of information.

Consumer Rights

The VCDPA grants consumers several rights, including:

  • The right to be informed if the controller is processing their personal data
  • The right to ask the controller to correct inaccurate or out-of-date data that it has collected about them
  • The right to demand the controller to delete the personal data the controller has collected about the consumer
  • The right to ask for and obtain copies of personal data about them collected by the data controller
  • The right to opt out of the processing of personal data for targeted advertising, the sale of personal data, or further profiling.

Of course, all of these consumer rights apply to sensitive data. The only difference is that sensitive data has a few additional requirements to follow.

Data Minimization

One important requirement for sensitive data is the principle of data minimization. This means that businesses should only collect, process, and retain the minimum amount of sensitive information necessary to fulfill a specific purpose.

Security Measures

Sensitive data must be protected with appropriate security measures to prevent unauthorized access, disclosure, alteration, or destruction. This can include implementing encryption protocols, firewalls, access controls, and regularly monitoring systems for any signs of a breach.

Data Breach Notification

In the event of a data breach that involves sensitive information, businesses must promptly notify affected individuals and relevant authorities.

The notification should include detailed information about the nature of the breach, the types of personal data compromised, steps taken to mitigate any harm caused by the breach, and resources available for consumers to protect themselves.

Closing

The main purpose of data privacy laws is to protect the consumer’s personal data when it is collected, stored, processed, or shared by businesses and the Virginia Consumer Data Protection Act is no different here.

Hopefully, you now understand the VCDPA sensitive data requirements better and how to safeguard your consumer’s SPI.

We try to provide you with the most information possible with these articles but don’t use them as a substitute for legal or expert advice.

Instead, get in touch with our data privacy experts and we’ll help ensure your business’s compliance with data privacy laws such as VCPDA, GDPR, LGPD, CPRA, and more.

FAQs

What is sensitive data in the Data Protection Act?

Sensitive data, or sensitive personal information (SPI) is a special category of personal information that is not publicly available like the person’s name, telephone, or email address, that, if shared with the wrong person or stolen, can cause harm to the individual.

Most data privacy acts, like the EU’s GDPR, Brazil’s LGPD, China’s PIPL, etc. consider the following to be “sensitive data.”

  1. Racial and ethnic origin
  2. Sexual orientation
  3. Religious, political, or philosophical beliefs
  4. Citizenship and immigration status\
  5. Genetic or biometric data is used to uniquely identify a person
  6. Children’s data
  7. Precise geolocation, such as IP addresses

Read our article to understand sensitive personal information (SPI) better)

What is exempt from the Virginia Consumer Data Protection Act?

Under the Virginia Consumer Data Protection Act (VCDPA), the following data is exempt:

  1. Health information already protected by the Health Insurance Portability and Accountability Act (HIPAA)
  2. Health records
  3. Patient identifying information
  4. Other data sets are protected by federal laws such as the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), or others (see the Code of Virginia for a full list)

Do you want to ensure HIPAA compliance? Start with our HIPAA compliance services article.

What is the difference between CPRA and the Virginia Consumer Data Protection Act?

The California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) are both state-level laws that regulate how businesses that are located or offer goods and services to the residents of those states should protect their consumer data.

Although these laws are the same in their purpose, they do have a few differences.

The most obvious one is that CPRA applies to entities conducting business in California and is targeting California residents, while the VCDPA does the same for businesses located in Virginia and Virginia residents.

Both laws provide certain data subject rights, such as the right to be informed of processing their personal information, to request correction of data, to delete data, etc. However, unlike the VCDPA, the CPRA also allows consumers to limit the use and disclosure of their sensitive data, which the VCDPA does not specify.

Check out our CCPA vs GDPR article to learn more.

What is the Virginia SB 1392 Consumer Data Protection Act?

The Virginia SB 1392 Consumer Data Protection Act was the state bill in Virginia that was passed into the Virginia Data Protection Act (VCDPA in March 2021.

This law governs the conditions under which businesses operating in the state of Virginia or targeting residents of this state can process their consumer’s data.

Do you need a compliance risk management framework? Start by reading our in-depth article on the topic.

Is Virginia opt-in for sensitive data?

The Virginia Consumer Data Protection Act (VCDPA) does not allow the processing of sensitive data without previous consent from the consumer.

VCDPA sensitive data are:

  1. A person’s racial or ethnic origin
  2. Mental or physical health diagnosis
  3. Religious beliefs
  4. Sexual orientation
  5. Citizenship or immigration status
  6. Personal data relating to children under 13
  7. Previse geolocation data

Do you understand the meaning of “opt-out”? Read our guide.