On March 3, 2021, VA S 1392, the Virginia Consumer Data Protection Act (VCDPA) was signed into law. In this article, we will discuss all that you need to know about the Virginia Consumer Data Protection Act, including who it applies to, how it defines “personal data,” the rights that it provides to consumers, and its enforcement mechanisms so that you can be ahead of the curve on preparing for this law.
Table of Contents
Virginia Consumer Data Protection Act: Who it applies to
All of the privacy laws in the United States have a broad reach, potentially applying to business outside of the state in which they are passed, and VCDPA is no exception. The law applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents and that meet one or more of the following factors:
- During a calendar year, control or process the personal data of at least 100,000 Virginia consumers; or
- Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
While at first glance, the law may seem to apply to larger businesses only, VCDPA defines “personal data” as “any information that is linked or is reasonably linkable to an identified or identifiable natural person.” Thus, if your website gets quite a few form submissions each year, you can easily meet this threshold. In addition, you may also be required to comply with this law if you are a vendor for a larger company that does meet the above thresholds.
Virginia consumers are provided with the following privacy rights under this law:
- To confirm whether the consumer’s personal data is processed and to access such personal data;
- To correct inaccuracies in the consumer’s personal data;
- To delete the consumer’s personal data;
- To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller; and
- To opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling.
The Virginia Consumer Data Protection Act requires controllers to respond to consumer requests to exercise their privacy rights within 45 days, making it imperative to develop streamlined procedures for responding to such requests.
- The categories of personal data processed;
- The purposes of processing the personal data;
- How consumers can exercise their privacy rights, including how a consumer can appeal your decision regarding their request;
- The categories of personal data that you share with third parties, if any;
- Whether you sell personal data or process personal data for targeted advertising, as well as how the consumer can opt out of such processing; and
- One or more secure and reliable means for consumers to submit a request to exercise their privacy rights.
As you can see from the above list, this law requires updates to the Privacy Policies of many businesses.