On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. Virginia is now the second state to enact comprehensive privacy legislation, the first being California with its California Consumer Privacy Act (CCPA) and the California Privacy Rights and Enforcement Act (CPRA). The VCDPA, which will go into effect on January 1, 2023, draws concepts from the CCPA, the CPRA and the European Union’s General Data Protection Regulation (GDPR).

Entities and Data Subject to the VCDPA

The VCDPA applies to all entities that “conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and that (1) during a calendar year control or process personal data of at least 100,000 Virginia residents or (2) control or process the personal data of at least 25,000 consumers and derive at least 50 percent of its gross revenue from the sale of personal data. (The law does not make clear whether the revenue threshold applies to Virginia residents only.)

Businesses can assume that economic activity that triggers tax liability or personal jurisdiction in Virginia will also trigger VCDPA applicability. Unlike the CCPA, the VCDPA does not include a standalone revenue threshold that imposes obligations, meaning that even large businesses will not be subject to the VCDPA so long as they do not meet one of the other two thresholds.

To determine whether VCDPA is applicable, a business will need to know the type of personal data it controls or processes and whether it engages in the sale of personal data.  “Personal data,” a GDPR term, is defined to include “any information that is linked or reasonably linkable to an identified or identifiable natural person” but excludes “de-identified” data, publicly available information, pseudonymous data, and employment-related information.  

The statute defines “sale of personal data” as “the exchange of personal data for monetary consideration by the controller to a third party,” a narrower definition than that in the CCPA, under which a sale occurs where the exchange is also for “other valuable consideration.”  Excluded from the definition of sale are disclosures made in the ordinary course of business such as disclosures to affiliates, to third parties if requested by consumers, to processors (a GDPR term and equivalent of “service providers” under the CCPA), and disclosures of certain information made public by a consumer.

Exemptions from the VCDPA

The VCDPA provides two types of exemptions, significantly broader than the CCPA’s exemptions. Entity-level exemptions covers agencies or political subdivisions, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities subject to the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations, and institutions of higher education. In addition, there are 14 categories regarding exempted datasets, including specific information regulated by the GLBA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Farm Credit Act, the Family Educational Rights and Privacy Act, and specific employee and job applicant data.

Consumer Rights under the VCDPA

The VCDPA provides consumers with CCPA/GDPR-type rights including (1) the right to access, correct, and delete their personal data, (2) the right to data portability, (3) the right to opt out of processing for purposes of targeted advertising, the sale of personal data, or profiling that results in decisions with legal effects, and (4) the right to appeal a business’s denial to act within a reasonable time.

A business that acts as a controller (a GDPR term) must respond to a consumer request within 45 days after receipt, with the option to extend the deadline by an additional 45 days so long as it provides notice and the reason for the extension.  If a controller fails to respond to a consumer’s request, it must provide a justification for declining to respond and instructions on how to appeal the decision.  If the appeal is denied, the controller needs to inform the consumers how they can submit a complaint to Virginia’s attorney general.

Controller Responsibilities under the VCDPA

The VCDPA limits a controller’s collection and use of personal data and requires the implementation of reasonable technical and organizational safeguards. Controllers can collect and process only personal data that is reasonably necessary and compatible with the purposes previously disclosed to consumers and obtain consent before processing personal data collected for a different purpose.

Departing from the CCPA, the VCDPA gives consumers the right to opt in to the processing of their sensitive data, which is defined as: “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying a natural person; the personal data collected from a known child; and precise geolocation data.”

Controllers are required to provide a privacy notice that explains how consumers can exercise their rights, how they can opt out of the sale or processing of their personal data for targeted advertising, the categories of personal data processed, the purpose for processing personal data, the categories of personal data shared with third parties, and the categories of third parties with whom controller shares personal data.

Additional GDPR-Type Obligations for Controllers and Processors

The VCDPA requires controllers to conduct “data protection assessments” to evaluate the risks associated with processing personal data for purposes of targeted advertising, the sale of personal data, the processing of sensitive data, the processing of personal data for purposes of certain profiling activities, and any processing activities that pose a heightened risk of harm to consumers.

In addition, controllers must enter into data-processing agreements with their processors setting forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The agreement should also include certain confidentiality and retention provisions and obligations on processors to cooperate with controllers and demonstrate that they have policies and technical and organizational measures to meet their own obligations.

Enforcement—No Private Right of Action

Only the Virginia attorney general is authorized to enforce the VCDPA, subject to a 30-day cure period. The attorney general may seek injunctive relief, damages of up to $7,500 for each violation, and attorneys’ fees. Unlike the CCPA, however, the VCDPA does not provide for a private right of action for cybersecurity failures.

Responding to the VCDPA

Even for businesses that have already implemented privacy programs to comply with the GDPR and/or the CCPA, the VCDPA presents new challenges. Such businesses will need to implement: (1) broader affirmative consent or opt-in requirement to process sensitive personal data; (2) broader opt-out rights for processing that covers not only sales of personal data but also targeted advertising and profiling decisions that produce legal or similarly significant effects; (3) mandatory data-protection assessments for sales of personal data; (4) targeted advertising and profiling, processes to comply with the obligation to delete personal data collected about a consumer; and (5) changes to the automated processes already implemented related to consumer requests regarding the mandatory right to an appeal process. In taking those steps, businesses will also need to consult experienced and well-qualified privacy counsel to ensure that they are meeting all of the relevant requirements of this new Virginia law.


Published: February 10, 2021

Willcox & Savage P.C.
Norfolk, Virginia, USA
INTA Bulletins—North America Subcommittee

“No better friend, no worse enemy.” Many people recognize that phrase as a proud claim of the U.S. Marine Corps (adapted from a remark ascribed to Roman General Lucius Cornelius Sulla). But did you know that the phrase is also a trademark that the Marine Corps has registered (without the comma) with the U.S. Patent and Trademark Office (USPTO) to use on T-shirts? Or did you know that the Marine Corps has also registered its iconic slogan “Semper Fi” (from its motto “Semper Fidelis,” or “Always Faithful”) for hats and shirts?

In fact, since 1994, the Marine Corps has registered, applied for, or acquired by assignment, approximately 700 federal trademarks, making the “Devil Dogs” (the Marines’ nickname from World War I) the owner of an impressively large portfolio. The Marine Corps, which was founded in 1775, and claims to be the “first to fight” of all five U.S. military services (the others being the Air Force, Army, Coast Guard, and Navy), has also been foremost in terms of developing, protecting, and licensing its marks.

As with the Marines, the other services are also guarding their own trademarks. The Department of the Army owns about 300 federal marks, including the Army motto DUTY HONOR COUNTRY as registered for use with clothing items and BLACK KNIGHTS (the nickname of the United States Military Academy, or West Point, sports teams) for use with cases and covers for mobile phones. The U.S. Navy owns approximately 200 federal marks, including US NAVY SEALS as registered for use with shot glasses and ANCHORS AWEIGH, the subject of a pending application that covers hats and shirts.

The Air Force, as the second-newest U.S. military service branch, established in 1947, owns about 20 federal marks, including USAF THUNDERBIRDS and THUNDERBIRDS and design for entertainment in air shows. (The Thunderbirds is the Air Force’s equivalent of the Navy’s Blue Angels flight demonstration team.) The Coast Guard, the smallest of the military services, owns about 10 federal marks, including UNITED STATES COAST GUARD 1790 and design (the design being the Coast Guard’s seal) for a wide variety of goods, including golf balls and teddy bears.

The exact number of the military services’ respective marks is difficult to determine because the services’ exchange systems, reserve components, or other service-related entities own some of the marks.

As one can see, U.S. military trademarks differ from most civilian marks in that the military services tend to tie their marks to their respective history and traditions and the operational elements—such as the SEALS or the Thunderbirds—for which they are well known. Although their marks protect branded goods, the services do not use their marks primarily to sell goods. Rather, much like colleges and universities, the military services use branded goods to market their core product. In the case of colleges and universities that core product is education, but in the military services the “product” is being prepared to fight to defend the United States and its allies, with each service preparing in a way tailored to its particular mission.

[T]he services use branded goods to market their core product. … [I]n the military services the “product” is being prepared to fight to defend the United States and its allies.

Most of the military’s trademark activity has occurred since appreciation for the U.S. Armed Forces began to rise after the tragedy of 9/11 and continued to rise during the long and difficult wars in Afghanistan and Iraq that started in 2001 and 2003, respectively. That increased appreciation led to the development by private citizens, many of them former service members, of marks that consisted of or included military terms or designs and were used with various goods and services. However, no formal licensing system was in place for the military services to protect their marks, control the quality of third-party products sold under military marks, and stop third parties from using such marks in ways the military considers inappropriate.

Thus, in 2007, the U.S. Department of Defense directed the military services to take steps to protect and license their marks and stop unlicensed third parties from using military marks. In typical Corps fashion, the Marines continued to move aggressively (as they had since 1994), contacting print-on-demand T-shirt suppliers CafePress and Zazzle in 2009 about the Marine Corps’ trademark rights and demanding that several small online retailers of military-theme hats and shirts stop their uses of the Marines’ marks.

Between 2009 and 2014, the Marines collected US $5.4 million in trademark-licensing fees, and in 2014 its trademark office gave more than US $700,000 in such fees to their Morale, Welfare, and Recreation Fund, which is used to improve the quality of life for Marines and their dependents.

The Army also took steps to enforce its trademark rights, increasing the sale of licensed Army merchandise from US $5 million to US $50 million between 2007 and 2011, and garnering more than US $1 million in royalties. Then, from 2011 to 2013, the Army more than doubled its number of licensees, from 120 to 265.

The other branches of the Armed Forces have also expanded their trademark-licensing programs, and today each has a trademark office set up to receive license requests. For example, the Army maintains its “Army Trademark Licensing Program” office in Arlington, Virginia, USA, not far from the USPTO. These programs have been quite successful, with the Air Force having more than 200 trademark licensees as early as 2013, and the Marines, according to their website, being maxed out with respect to licenses for putting their marks on hats, mugs, and shirts.

The Department of Defense’s (DOD) general trademark policy is set forth in the “DOD Trademark Licensing Guide.” According to the Guide, the DOD Community and Public Outreach Division is responsible for educating non-federal entities (NFEs) and individuals about “the use of official seals and other protected logos, insignia and marks” of the DOD and the military services. The Guide states that although it is intended to inform all NFEs about how military marks may and may not be used, it is intended primarily for the leaders and key staff of national veteran service organizations, institutions of higher education, and military service organizations.

Each U.S. Armed Forces branch also has its own trademark-licensing guidelines. For example, the Navy’s guidelines explain that “licensing protects the Navy’s name, heritage, reputation, and image by permitting only appropriate uses and assuring that only quality products that enhance the reputation and public goodwill of the Navy are licensed.” Accordingly, the guidelines state that “[p]ermission must be obtained by anyone who wishes to use the Navy’s trademarks” and include a “How to Apply” link for entities that want to seek such permission.

Not every entity that wants to use a military mark is able to obtain permission. As set forth in the “DOD Trademark Licensing Guide,” some marks such as the DOD and individual service seals “may be used only by the military departments for official purposes.” Other military marks such as the Marines’ Globe-and-Anchor and design mark may be licensed, but not for uses to which their owners object. Thus, the Marine Corps deemed infringing the unauthorized branding of toilet paper rolls with the words LEATHERNECK WIPES (“Leathernecks” being another nickname for Marines) and the Globe-and-Anchor design.

Not every entity that wants to use a military mark is able to obtain permission.

Not everyone agrees that the military services—which are, after all, public entities—should be able to license their marks. For instance, Marine Corps officer and spokesman Eric Flanagan was reported in a 2014 news article as saying that he could understand why veterans think, even if erroneously, that they have a right to use their services’ marks. “[Marines] believe they earned it on Parris Island,” then-Major Flanagan said, naming the “boot camp” where each year about 17,000 enlisted Marines perform basic training. “They died for it, and now you’re going to try to take it?” he asked rhetorically. “You going to take that tattoo off my arm too?”

Accordingly, the military services try—as do most civilian trademark owners—to work things out with third parties that use their marks in a well-intentioned but unauthorized way. Philip Greene, in-house trademark counsel for the Marine Corps, has given the example of a Marine veteran who started “Semper Fidelis Garage Doors” and created a logo that included the Marine Corps seal and the words “garage doors.” Mr. Greene reportedly called the veteran, explained the situation, and reached an agreement under which the veteran continued to use the name “Semper Fidelis Garage Doors” but replaced the Marine Corps seal with crossed swords.

Recently, the newest U.S. military service, the Space Force, learned that the services sometimes need to move quickly to protect their marks. Formed on December 20, 2019, as part of the Department of the Air Force (DAF), the Space Force did not move to protect any of its marks abroad before Netflix, the content platform and production company, premiered its comedy series Space Force on May 29, 2020, and obtained trademark protection for SPACE FORCE in Australia, Europe, Mexico, and some other non-U.S. jurisdictions.

In the U.S., the DAF had filed two intent-to-use (ITU) applications for SPACE FORCE, one on March 13, 2019, and one on May 20, 2020, and subsequently filed an ITU application for UNITED STATES SPACE FORCE and design on July 21, 2020. Unfortunately for the Space Force, each of those three applications now faces multiple citations of other prior pending applications from numerous sources (but not Netflix) for marks that the USPTO considers confusingly similar to the DAF’s applications for SPACE FORCE marks. Time will tell whether the Space Force is ultimately victorious with its U.S. applications.

Military services have protected the United States since the country’s founding. (The Continental predecessors of the Army, Navy, and Marine Corps predate the Declaration of Independence.) Today, the services continue to perform that important mission but are now also protecting their valuable trademarks. So, before a business, even a veteran-owned business, begins using a military mark or a mark intended to associate the business with the history and traditions or components of a military services branch, the owner should seek a license.

As Sun Tzu (孫子 or Sūnzǐ), the famous Chinese general and military strategist of the fifth century B.C.E., might say in that context, “To win without fighting is the acme of skill.”

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest. 

© 2021 International Trademark Association


The Willcox & Savage, P.C. website is for informational purposes only and should not be treated as legal advice. Neither reviewing the website nor corresponding with us through the website will create an attorney-client relationship between you and the firm. An attorney-client relationship and a corresponding duty to maintain confidentiality do not arise until Willcox & Savage, P.C. has determined that no conflicts of interest exist and has informed you that it is willing and able to represent you. Do not send confidential information or substantive details about your case or transaction to us until you speak with one or our attorneys and receive authorization. Information we receive will not be treated as confidential until we establish an attorney-client relationship with you and authorize you to send us confidential information.

By hitting "Agree" below, you agree that you have read and accept these terms.