Contact us Today!

What is the Virginia Consumer Data Protection Act and How Does it Affect Your Privacy Program?

What is the Virginia Consumer Data Protection Act

Enactment of the Virginia Consumer Data Protection Act (VCDPA) is a significant development in privacy legislation in the United States, and companies doing business in Virginia and other states should take notice.  Virginia becomes the second state (after California) to pass a comprehensive privacy law, and with a number of other states considering privacy bills, it is clear that the privacy regulatory landscape in the United States is about to become much more complex.

The VCDPA contains elements of the existing privacy laws, such as the European Union’s GDPR and California’s Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA).  Companies familiar with these regulations might even find some of the legal definitions in the VCDPA familiar:

  • Sale of personal data – the exchange of personal data for monetary consideration by the controller to a third party.
  • Consumer – a person who a resident of Virginia and acts only in an individual or household context. Individuals acting in an employment or commercial context are not considered “consumers” under the Act.
  • Controller – a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processors of personal data – a natural or legal person who processes personal data on behalf of a controller.
  • Third party – a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.

What Obligations Does the VCDPA Impose on Companies?

  • Notice – post a privacy notice to your website or app displaying all intended purposes for use of the personal data.
  • Data minimization – limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
  • Data security – maintain reasonable administrative, technical, and physical data security practices.
  • Data Protection Assessments – perform data protection assessment with respect to each of the following processing activities involving personal data: (1) processing of personal data for purposes of targeted advertising; (2) sale of personal data; (3) processing of personal data for purposes of profiling where such profiling presents a reasonably foreseeable risk of a substantial injury to consumers; (4) processing of sensitive data; and (5) any processing activities involving personal data that present a heightened risk of harm to the consumers.
  • Consent to process “sensitive data” – obtain consent from data subjects before collecting or processing sensitive data for any purpose. “Sensitive data” is defined as personal data that reveals data subject’s:
    • Racial or ethnic origin
    • Religious beliefs
    • Mental or physical health diagnosis
    • Sexual orientation
    • Citizenship or immigration status
    • Genetic or biometric data
    • Parental status
  • Facilitate privacy rights of Virginia consumers:
    • Right to know what personal data is held by a company and for what purpose;
    • Right to correct inaccuracies;
    • Right to request deletion of personal data;
    • Right to data portability;
    • Right to opt out of targeted advertising, profiling, and sale of personal data.
  • Fulfill data subject requests within 45 days and provide right to appeal if decline to act on the request.
  • Protect de-identified data
  • Contractual control of processors – include contractual provisions that limit the purposes for which the data will be used, allow for due diligence on data processes, require deletion upon request, obligate the processor to maintain confidentiality, and require the processor to flow down these obligations to downstream vendors and subcontractors.

How to Comply with the VCDPA if You’re already Complying with the CCPA?

  1. Deep scan databases to account for sensitive data
  2. Establish a secure consent process for sensitive data.
  3. Establish an appeals process for data subject requests.
  4. Establish a process to correct inaccurate data.
  5. Establish a process for data impact assessments.
  6. Keep notices up to date.
  7. Update vendor contracts.
  8. Evaluate deidentification processes in accordance with the VCDPA requirements.
  9. Evaluate your security procedures and reporting obligations.
  10. Implement data minimization practices.
  11. Establish a process for opting out of automated processing and targeted advertising.


Virginia Consumer Data Protection Act

To schedule a demo today, click here or call Clarip today at 1-888-252-5653.


Access Clarip’s Privacy Whitepapers Today


Privacy News
Clarip Blog

What Your Company Needs to Know About Regulations of Biometric Data
Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
Responding to Personal Data Deletion Requests Under the California Consumer Privacy Act
Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
Verifiable Data Subject Requests under the GDPR and the CCPA
Other Resources

California Consumer Privacy Act
CCPA Summary
CCPA Privacy Software
CCPA Webinar
SB-1121 Amendments

GDPR Compliance
Consent Management Software
GDPR Data Mapping Software
DSAR Portal