On March 3, 2021, VA S 1392, the Virginia Consumer Data Protection Act (VCDPA) was signed into law. In this article, we will discuss all that you need to know about the Virginia Consumer Data Protection Act, including who it applies to, how it defines “personal data,” the rights that it provides to consumers, and its enforcement mechanisms so that you can be ahead of the curve on preparing for this law.
Virginia Consumer Data Protection Act: Who it applies to
All of the privacy laws in the United States have a broad reach, potentially applying to business outside of the state in which they are passed, and VCDPA is no exception. The law applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents and that meet one or more of the following factors:
- During a calendar year, control or process the personal data of at least 100,000 Virginia consumers; or
- Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
While at first glance, the law may seem to apply to larger businesses only, VCDPA defines “personal data” as “any information that is linked or is reasonably linkable to an identified or identifiable natural person.” Thus, if your website gets quite a few form submissions each year, you can easily meet this threshold. In addition, you may also be required to comply with this law if you are a vendor for a larger company that does meet the above thresholds.
Virginia consumers are provided with the following privacy rights under this law:
- To confirm whether the consumer’s personal data is processed and to access such personal data;
- To correct inaccuracies in the consumer’s personal data;
- To delete the consumer’s personal data;
- To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller; and
- To opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling.
The Virginia Consumer Data Protection Act requires controllers to respond to consumer requests to exercise their privacy rights within 45 days, making it imperative to develop streamlined procedures for responding to such requests.
- The categories of personal data processed;
- The purposes of processing the personal data;
- How consumers can exercise their privacy rights, including how a consumer can appeal your decision regarding their request;
- The categories of personal data that you share with third parties, if any;
- Whether you sell personal data or process personal data for targeted advertising, as well as how the consumer can opt out of such processing; and
- One or more secure and reliable means for consumers to submit a request to exercise their privacy rights.
As you can see from the above list, this law requires updates to the Privacy Policies of many businesses.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.