On the 2nd of March 2021, the Virginia Consumer Data Protection Act (VCDPA) was passed by the state’s governor and is planned to come into effect at the beginning of 2023. The act by its official name S.B. 1392; H.B. 2307 regulates how companies that handle personal data must comply with the protection of this information and permits the consumers to exercise their rights to access and control their personal information.
VCDPA is the second major privacy law in the United States of America after the California Privacy Rights Act (CCPA), both of which are following the European GDPR model. Following this trend, many states are soon to pass their own legislation regarding privacy and personal data security.
Who is the VCDPA addressed to?
The VCDPA targets all institutions, organizations, or entities “who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and whom over the period of a year either:
“(1) control or process personal data of at least 100,000 Virginia residents, or (2) derive over 50% of gross revenue from the sale of personal data (though the statute is unclear as to whether the revenue threshold applies to Virginia residents only) and control or process personal data of at least 25,000 Virginia residents.”
So if you have a website that targets people from Virginia, make sure you are complying with this future legislation by:
updating your notices
implementing data minimization
setting up a possible appeal method
providing the option to opt-out for sensitive data
evaluating your privacy, security, and reporting procedures.
VCDPA Rights and Obligations
Similar to the other previous privacy laws, VCDPA defines the rights of the consumers, as in the individuals whose data is being collected, and the obligations of the controllers, the entities that gather and store this data.
According to the Virginia Consumer Data Protection Act, individuals have the right to:
- Confirm whether their personal data is being processed by a controller;
- Correct inaccuracies in their data;
- Delete personal data obtained from or about the consumer;
- Obtain a copy of the data the consumer previously provided the controller in a portable and “readily usable” format; and
- Opt-out of data collection if the data is collected “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
While the controllers must make sure to:
- Limit collection of personal data to what is “adequate, relevant, and reasonably necessary” related to the purposes of processing, which must be disclosed to the consumer;
- Refrain from processing personal data for any other purpose than those disclosed, unless the consumer consents;
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Not process personal data in violation of anti-discrimination laws, or discriminate against consumers for exercising any consumer rights under the CDPA.
- Refrain from processing “sensitive” consumer data without a consumer’s consent.
- Provide clear and conspicuous notice to consumers of any sale of personal data to third parties or processing for targeted advertising, and the manner for opting out of such activity.
- Create and provide in the privacy notice “one or more secure and reliable means for consumers to submit a request to exercise their consumer rights” that must “take into account the ways in which consumers normally interact with the controller” and the need for “secure communication of such requests.
- Provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that includes:
- The categories of personal data processed by the controller;
- The purposes for processing the personal data
- How a consumer may exercise their CDPA rights, and how they may appeal a controller’s decision regarding a request;
- The categories of data the controller shares with third parties;
- The categories of third parties the controller shares data with.
A comparison between CCPA and VCDPA
In this next part, we will discuss the similarities and differences between CCPA and VCDPA.
Let's start with the definition of personal data. According to CCPA, it is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, while the VCDPA defines it as any information that is linked or reasonably linkable to an identified or identifiable natural person.
In terms of penalties and fines, both laws state that non-compliant businesses will have to pay casualties of up to $7,500 per violation, which is very low compared to the GDPR fines.
According to the CCPA data processing activities that might be considered of significant risk to consumer privacy will annual audits and assessments, while for VCDPA data protection assessments need to be conducted when:
- processing personal data for the purposes of targeted advertising;
- selling personal data;
- processing personal data for purposes of profiling (in certain contexts);
- processing sensitive data; or
- conducting any processing activity that presents a heightened risk of harm to consumers.
You can see a more detailed comparison between VCDPA and CCPA here.