What is the Virginia Consumer Data Protection Act and How Does it Affect Your Privacy Program?
Enactment of the Virginia Consumer Data Protection Act (VCDPA) is a significant development in privacy legislation in the United States, and companies doing business in Virginia and other states should take notice. Virginia becomes the second state (after California) to pass a comprehensive privacy law, and with a number of other states considering privacy bills, it is clear that the privacy regulatory landscape in the United States is about to become much more complex.
The VCDPA contains elements of the existing privacy laws, such as the European Union’s GDPR and California’s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA). Companies familiar with these regulations might even find some of the legal definitions in the VCDPA familiar:
- Sale of personal data – the exchange of personal data for monetary consideration by the controller to a third party.
- Consumer – a person who a resident of Virginia and acts only in an individual or household context. Individuals acting in an employment or commercial context are not considered “consumers” under the Act.
- Controller – a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processors of personal data – a natural or legal person who processes personal data on behalf of a controller.
- Third party – a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.
What Obligations Does the VCDPA Impose on Companies?
- Notice – post a privacy notice to your website or app displaying all intended purposes for use of the personal data.
- Data minimization – limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
- Data security – maintain reasonable administrative, technical, and physical data security practices.
- Data Protection Assessments – perform data protection assessment with respect to each of the following processing activities involving personal data: (1) processing of personal data for purposes of targeted advertising; (2) sale of personal data; (3) processing of personal data for purposes of profiling where such profiling presents a reasonably foreseeable risk of a substantial injury to consumers; (4) processing of sensitive data; and (5) any processing activities involving personal data that present a heightened risk of harm to the consumers.
- Consent to process “sensitive data” – obtain consent from data subjects before collecting or processing sensitive data for any purpose. “Sensitive data” is defined as personal data that reveals data subject’s:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Parental status
- Facilitate privacy rights of Virginia consumers:
- Right to know what personal data is held by a company and for what purpose;
- Right to correct inaccuracies;
- Right to request deletion of personal data;
- Right to data portability;
- Right to opt out of targeted advertising, profiling, and sale of personal data.
- Fulfill data subject requests within 45 days and provide right to appeal if decline to act on the request.
- Protect de-identified data
- Contractual control of processors – include contractual provisions that limit the purposes for which the data will be used, allow for due diligence on data processes, require deletion upon request, obligate the processor to maintain confidentiality, and require the processor to flow down these obligations to downstream vendors and subcontractors.
How to Comply with the VCDPA if You’re already Complying with the CCPA?
- Deep scan databases to account for sensitive data
- Establish a secure consent process for sensitive data.
- Establish an appeals process for data subject requests.
- Establish a process to correct inaccurate data.
- Establish a process for data impact assessments.
- Keep notices up to date.
- Update vendor contracts.
- Evaluate deidentification processes in accordance with the VCDPA requirements.
- Evaluate your security procedures and reporting obligations.
- Implement data minimization practices.
- Establish a process for opting out of automated processing and targeted advertising.
GET OUR FREE WHITE PAPER ON WHAT YOUR COMPANY NEEDS TO KNOW ABOUT THE VIRGINIA CONSUMER DATA PROTECTION ACT
To schedule a demo today, click here or call Clarip today at 1-888-252-5653.
Access Clarip’s Privacy Whitepapers Today
Privacy News
– Clarip Blog
Whitepapers
– What Your Company Needs to Know About Regulations of Biometric Data
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Responding to Personal Data Deletion Requests Under the California Consumer Privacy Act
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Verifiable Data Subject Requests under the GDPR and the CCPA
– Other Resources
California Consumer Privacy Act
– CCPA Text
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar
– SB-1121 Amendments
EU GDPR
– GDPR Text
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal