In March 2021, the Commonwealth of Virginia enacted the Virginia Consumer Data Protection Act (VCDPA), a significant move towards enhancing the data privacy rights of Virginia residents. This act, effective from January 1, 2023, is the state’s principal consumer data protection law, and it’s crucial for businesses worldwide dealing with clients in Virginia to understand its implications.
Scope and Applicability
The VCDPA applies to businesses that control or process the personal data of at least 100,000 Virginia residents or derive over half of their gross revenue from selling the personal data of at least 25,000 Virginia residents. Exempt from the VCDPA are public and governmental organizations, entities covered under the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA)/HITECH-covered entities, and those compliant with the Children’s Online Privacy Protection Act (COPPA).
Consumer Rights
Under the VCDPA, consumers are empowered with the right to access, correct, and delete their personal data held by businesses. They also have the right to opt-out of targeted advertising, the sale of their personal data, and profiling in specific contexts such as financial services and employment. Businesses must respond to consumer requests within 45 days, with a possible extension of an additional 45 days under certain conditions.
Definition of Personal Data
The law defines personal data as sensitive data related to characteristics like sexual orientation, race, religion, ethnic origin, and health that can be linked to an individual. It’s important to note that this definition excludes data linked to devices or households, and the protection only applies to Virginia residents in their capacity as consumers, not as employees.
Business Responsibilities
Businesses covered by the VCDPA must:
- Obtain explicit consent before processing sensitive personal data.
- Outline in their privacy policies how consumers can exercise their rights.
- Ensure data security and prevent unauthorized access.
- Conduct regular data protection assessments, particularly for processes involving sensitive data, the sale of data, or personal data used for profiling and targeted advertisement.
Best Practices for Compliance
To ensure compliance with the VCDPA, businesses should:
- Adopt technical safeguards and minimize the use of consumer data to what is necessary for the purposes disclosed to consumers.
- Regularly update their knowledge of the law and its requirements.
- Consider using privacy management consultants, such as Envescent.
Penalties for Non-Compliance
Failure to comply with the VCDPA can result in civil fines of up to $7,500 for each infringement, as well as injunctions to prevent further violations. Enforcement is carried out by the state attorney general, as Virginia residents do not have a private right to action under this law.
Global Implications
For businesses located all over the world, the VCDPA signifies the growing trend of stringent data protection laws similar to the European Union’s GDPR. It necessitates a thorough understanding of the data they collect from Virginia residents, the purposes for which it is used, and the measures in place to protect it. Businesses must align their data processing and privacy policies with these new requirements to avoid legal and financial repercussions.
In conclusion, the VCDPA is a significant milestone in data privacy legislation, paralleling California’s privacy laws. Businesses around the world dealing with Virginia’s residents must prioritize compliance to uphold the rights of consumers and avoid legal and financial penalties.
Our privacy and security experts are happy to help your firm with both the technological and regulatory issues that laws like this may cause. Our view is that compliance measures like this offer businesses of all sizes an opportunity to improve their informational organization, unification, and security. Whereas productivity gains can be realized by optimizing how your company manages data, where it is stored, and how it is accessed.
Contact us for a free consultation to see if we’re a good match to help your company stay compliant in the rapidly evolving world of privacy regulation.