Virginia Consumer Data Protection Act: The Most Important Things to Know About

Virginia Takes a Lead in Data Privacy

Just eight pages long, the VCDPA is significantly more succinct than the California Consumer Privacy Act (CCPA). That’s not to say that this sweeping privacy act doesn’t have a powerful impact on the US privacy landscape. Experts predict that its brevity and clarity may result in the VCDPA becoming a blueprint for future privacy legislation.

The Virginia Consumer Data Privacy Act (VCDPA) was developed to provide fundamental protections for consumers and clearly define the obligations of businesses to ensure that protection. The law provides guidelines that pave a smooth path toward compliance, without imposing overly complicated requirements. As State Sen. David Marsden, in his speech before introducing the legislation, described, “This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers.”

On April 11, 2022, Virginia Governor Glenn Youngkin amended the act with the signing of three amendment bills. The law is now finalized in advance of Virginia’s privacy law effective date, January 1, 2023. 

Eligibility

Under the law, customers have the right to view their data and ask corporations to erase their personal information under the Virginia consumer privacy act. Additionally, it mandates that businesses carry out data protection assessments when processing personal data for targeted marketing and sales efforts.

Entities operating businesses in Virginia must satisfy one of two thresholds for eligibility:

Entities must control or process

• the personal data of at least 100,000 consumers in a calendar year, or 
• the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.

Exemptions

Before calculating whether it meets the thresholds set forth above, an entity should first see whether it or the data it collects is exempt. There are two main categories of exemptions under the CDPA: entity-level exemptions and data-level exemptions. The CDPA provides five types of exempted entities:

1. a body, authority, board, bureau, commission, district, Virginian agency, or any Virginian political subdivision
2. any financial institution or data subject to the Gramm-Leach-Bliley Act.
3. a covered entity or business subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.
4. a nonprofit organization
5. a higher education institution

Consumer Rights

The CDPA provides consumers with 6 definitive rights. Notably, the CDPA fails to provide any exceptions to these rights. The bulleted list below constitutes the law’s discussion of consumer rights in its entirety. Thus, where a consumer chooses to practice these rights, a business must comply, regardless of the impracticability or hardship to fulfill the request.  

• Right to access

Consumers have the right to confirm whether a controller is processing their data and have the right to access their data.

• Right to correct

Consumers have the right to correct inaccurate information in the consumer’s collected personal data.

• Right to delete

Consumers have the right to opt to delete personal data that they provided or that was obtained about them.

• Right to data portability

Consumers have the right to obtain a copy of their data in a portable, user-friendly format.

• Right to opt-out of data processing

Consumers will have the right to disallow the processing of personal data for purposes of

• targeted advertising
• the sale of personal data
• profiling in further decisions that produce legal or similarly significant effects concerning the consumer. 
• Right to appeal

The final right the CDPA provides to consumers is the right to appeal a business’s denial to accommodate their rights within a reasonable time. The law requires that businesses respond to a consumer request within 45 days of receipt. Where reasonably necessary, the timeframe may be extended by an additional 45 days, with the condition that they notify the consumer within the initial response window. 

Controller or Processor Obligations

Limits on collection

The CDPA includes a clause that limits the collection of personal data to that which is “adequate, relevant and reasonably necessary concerning the purposes for which the data is processed.”

Limits on use

After the data has been collected, the law requires that the business “not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.” 

Technical safeguards

In line with the upward trend of cyber threats and data breaches, businesses are required to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”

Data protection assessments

Controllers must assess the risk associated with their processing activities by performing “data protection assessments”. The privacy law in Virginia fails to specify at which frequency these assessments must take place.

Data processing agreements

A processor that accesses personal consumer data on behalf of a controller must enter into a “data processing agreement” with the controller. The agreement must “clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.” 

Privacy policy

Controllers are obligated to provide consumers with a privacy policy. The policy must include:

• the categories of personal data processed by the controller.
• the purpose of processing personal data.
• how consumers may exercise their consumer rights and appeal a controller’s decision regarding the consumer’s request.
• the categories of personal data that the controller shares with third parties if any.
• the categories of third parties, if any, with whom the controller shares personal data.

Practically Speaking

Companies must advise customers of their rights under the Virginia data protection act and establish a process for them to exercise their rights. In addition, companies subject to the law are required to acquire consent before collecting and processing certain types of sensitive personal data, including information about a person’s exact location, information about their identities, and genetic or biometric information. Similar to the CCPA, the VCDPA mandates that businesses must enter into a special contract with each service provider they hire to process data on their behalf. This contract must implement the Virginia privacy law requirements and spell out the service provider’s obligations concerning the personal data they handle.

The VCDPA also mandates that businesses retain the data they collected for that specific purpose and only for as long as is necessary to fulfill that goal; these principles are sometimes known as data retention limitations or purpose limitations. To safeguard the confidentiality, integrity, and availability of personal data, businesses must also develop and maintain strong cyber security measures. Although the exact standard is vaguely worded, a company’s data security system is most probably adequate if it adheres to a recognized industry standard.

The Virginia Attorney General will be responsible for enforcing the VCDPA, which has a 30-day cure period but also carries a maximum civil penalty of $7,500 per violation if noncompliance is not remedied. 

How Can Centraleyes Help You with Data Privacy? 

Reach out to us to determine if the VCDPA applies to your business, assess third-party relationships that are handling personal consumer data, and develop a data protection assessment strategy.

At Centraleyes, we understand what a major undertaking the VCDPA is. Some of the privacy rights and limitations in the CCPA and CPRA align exactly with concepts in the VCDPA – companies can thus cross reference their CCPA/CPRA compliance efforts in complying with the VCDPA using Centraleyes automated platform.  

Consumer data protection is a trend that is quickly gaining traction across the country. The theme of privacy and security has become an integral part of the risk management industry and privacy laws will soon be commonplace across the US. With Centraleyes, you can crosswalk control and documentation across different laws and frameworks cutting hours of preparation for your compliance requirements.