Virginia Passes Consumer Data Protection Act

On March 2, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. Virginia is the second state to enact a comprehensive state privacy law. California enacted the California Consumer Privacy Act (CCPA) in 2018 to preempt a ballot initiative.

The VCDPA will go into effect on January 1, 2023, and while it was modeled on the CCPA and European Union’s General Data Protection Regulation (GDPR), it also has some difference.

For credit unions, the primary difference is in the exemptions.

B. This chapter shall not apply to any (i) body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth; (ii) financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); (iii) covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5); (iv) nonprofit organization; or (v) institution of higher education.”

The VDCPA exempts financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA). This differs from the CCPA which only exempts the data that is subject to the GLBA.

The VCDPA applies to businesses that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that (i) during a calendar year, control or process data for at least 100,000 Virginian’s or (ii) control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data. Personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”

Under the VCDPA, Virginia residents have the right to control the processing of their personal data including:

  • To confirm whether or not a controller is processing their personal data and to access such personal data;
  • To correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing of their personal data;
  • To delete personal data provided by or obtained about them;
  • To obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
  • To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.

Businesses subject to the VCDPA would be subject to and need to implement:

  • Data minimization and technical safeguards requirements
  • GDPR-like requirements – data protection assessments and data processing agreements

Under the VCDPA, there would be no right of private action. Instead, the Virginia Attorney General’s office would have exclusive enforcement over the VCDPA. In addition, a controller or processor must be provided 30 days’ written notice of any violation, allowing the entity the opportunity to cure the violation. Failure to cure the violation could result in a fine of $7,500 per violation.

Question of the Week

Q. If a member deposits a check to a savings account, can the credit union place a hold on it if the hold is deemed necessary?

A. Yes, a reasonable hold may be placed on a check deposited to a savings account.

Reg CC check hold rules apply to “accounts,” which is defined as generally including accounts at a credit union from which the member is permitted to make transfers or withdrawals by negotiable or transferable instrument, payment order of withdrawal, or other similar means for the purpose of making payments or transfers to third persons or others. An account also includes accounts from which the member may make third party payments at an ATM, remote service unit, or other electronic device, including by debit card, but the term does not include savings deposits.

Therefore, since Reg CC does not apply to savings deposits, a credit union may place a reasonable hold on a check deposited to a savings account. If there are doubts about the collectability of checks, a hold long enough to determine if the check is going to be paid might be a good idea. The credit union can use this time to determine if the check will be returned by the midnight deadline or make phone calls to try and determine the legitimacy of the check’s issuance.

It is also important to note that while Reg CC does not apply to savings accounts, credit unions should check their membership and account agreements and/or their Funds Availability Policy to ensure that they do not make savings deposits subject to Reg CC provisions by way of the agreement/policy; the agreements and policy should be consistent, and the credit union’s practices should match the agreements and policy.

Related Link

12 CFR 229.2

Compliance Alerts

National Credit Union Administration

Harper Discusses Economic Outlook, Urges Credit Unions Against Garnishing Stimulus Payments: NCUA Board Chairman Harper urges credit unions to consider reputational risks before offsetting against the most recent round of stimulus payments.

Registration Open for April 14 Webinar on BSA/AML Compliance:The NCUA announced that online registration for the webinar, “Bank Secrecy Act Update,” is now open. The webinar is scheduled to begin at 11 a.m. PDT and will run for approximately 60 minutes. Participants will be able to log into the webinar and view it on their computers or mobile devices using the registration link. The webinar will cover updates on recently issued BSA statements, actions for managing high-risk accounts, and highlights of the Anti-Money Laundering Act of 2020.

NCUA Board Extends Comment Period for Proposed CUSO Rule: The NCUA Board unanimously approved by notation vote a 30-day extension of the comment period for its proposed rule on credit union service organizations, Part 712.

Consumer financial Protection Bureau

CFPB Annual Complaint Report Highlights More Than a Half-Million Complaints Received in 2020: The CFPB issued a report to Congress which showed the overall complaint volume for 2020 was 54% higher than 2019. Credit reporting and mentions of coronavirus as a keywork were primary drivers of the increase in volume.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of March 25. The last update prior to this was March 22.

Questions? Contact the Compliance Hotline: 1.800.546.4465;

Posted in Compliance News, Compliance News.