Understanding competing privacy laws can be confusing. When you do business in Virginia, you must adhere to the Commonwealth’s enhanced privacy laws. The Virginia Consumer Data Protection Act (VCDPA) is designed to help consumers keep control over their private information and keep businesses compliant with Virginia privacy law.
What is the Virginia Consumer Data Protection Act?
The Virginia Consumer Data Protection Act was signed into law on March 2, 2021. Virginia is the second state to enact comprehensive data privacy laws. Much like California’s Consumer Privacy Act (CCPA), the Virginia CDPA can apply to any company doing business in the state—even if they’re not headquartered there—if they meet certain requirements.
The VCDPA applies to businesses who:
- Conduct business in Virginia, or market goods and services to Virginia residents; and
- Either control or process the personal data or at least 100,000 Virginia residents, or
- Control or process the personal data of at least 25,000 Virginia residents, and derive more than 50 percent of their gross revenue from the sale of personal data.
As you can see, the VCDPA won’t necessarily apply to every business—but it’s still good practice to have a compliance plan in place. When your company is scalable and growing fast, it’s easy to run afoul of consumer privacy laws.
What does the Virginia Consumer Data Protection Act protect?
The VCDPA is designed to protect consumers’ personal data. The protections include the right to:
- Know, access and confirm what personal data is being collected or processed
- Delete personal data
- Correct inaccuracies in personal data
- Port personal data
- Opt out of the processing of personal data for targeted advertising purposes
- Opt out of profiling based upon personal data
- Opt out of the sale of personal data
- Not be discriminated against for exercising any of the foregoing rights
In order to comply with the VCDPA, companies who qualify under the Act must inform consumers of their rights. They also need to create a process to allow consumers to exercise their rights—that is, you’ll need to set up a way in which a consumer can receive access to know what personal data is being processed, and how to correct or delete that information without penalty. They also have to set up an opt out process for targeted advertising, the sale of personal data, and profiling based on personal data.
The Act also applies to third-party service providers. If your business works with vendors, it’s important that your contract with them reflects the VCDPA’s requirements. Otherwise, your company could be held liable for VCDPA violations committed by your vendors if they impact the data they are processing on your behalf.
It’s important to note that under the VCDPA, companies can only hold pieces of data they need for a specific purpose. They can only keep that data as long as necessary to achieve said purpose. This is called data minimization and purpose limitation.
Furthermore, companies need to implement and maintain reasonable data security measures. Your company will need to create and implement measures that can meet the enhanced standards under Virginia privacy law.
Finally, your company must conduct and document data protection assessments whenever you process sensitive information, or use personal data for targeted advertising or profiling purposes. This provision is similar to the European Union’s General Data Protection Regulation (GDPR). If your company is already complying with the GDPR, you’re likely to already have processes in place that can be adapted to meet Virginia’s standard.
When will Virginia’s CDPA become effective?
Although the VCDPA was signed into law in March 2021, it doesn’t take effect until January 1, 2023. That gives companies a few months to enact processes and procedures to comply with the new law.
How to comply with Virginia’s CDPA
To comply with the VCDPA, you’ll need to do the following:
- Create a privacy notice: Your consumers need to know what kind of data you collect, why you collect it, how it’s used and how it could be shared. They also need to know how to edit or revoke consent.
- Inform consumers of their rights: The consumers also need to know what rights they have, and how to exercise them.
- Minimize data collection: Next, you’ll need to minimize the data you collect—for example, you probably don’t need a full name and birth date when someone signs up for your marketing newsletter.
- Create a consent policy and process: When collecting sensitive information, you must ensure that you have informed, affirmative consent.
- Create a data protection assessment mechanism: When collecting personal data, you’ll need to assess the benefits of collecting it, the risks associated and how your company can minimize those risks.
- Enact security safeguards: You must protect the personal data in your possession. The Act does not specify what these safeguards may include, but meeting industry standards and taking reasonable steps that combine technological as well as other controls are expected.