Another year, another set of state mandated data compliancy regulations.  Like California that passed the California Consumer Protection Act (CCPA) in 2018, the state of Virginia is now unveiling its own legislation.  Governor Ralph Northam of Virginia signed the Virginia Consumer Data Protection Act (VCDPA) in March.  The state’s privacy bill will become law on January 1 of 2023, giving parties ample time to prepare for it.  Like other similar protection acts, Virginia legislators want to enforce greater transparency concerning the processing of personal data and give its citizenry greater control concerning what is being done with their personal information.

Who is Affected by VCDPA?

As written, the VCDPA applies to qualifying legal entities, otherwise known as controllers, that conduct business in the state of Virginia or produce goods or services that target consumers who reside within the state of Virginia.  To qualify, a controller must meet one of two criteria:

  1. It must control or process the personal data of at least 100,000 consumers during a calendar year
  2. It must derive 50 percent of gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers within a calendar year.

What type of Data does VCDPA Cover?

For clarification, VCDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”  In addition to the obvious forms of personal data, VCDPA has expanded its definition of personal data to include:

  • religious beliefs
  • sexual orientation
  • citizen or immigration status
  • racial or ethnic origin
  • Geo-location, biometric and genetic data. 

VCDPA does not include information that is publicly available, nor does it include de-identified data.  De-identified data refers to data from which all personally identifiable information has been removed in order to protect someone’s personal identity from being revealed.  The term “consumer” is defined as any natural person residing within the state of Virginia who is acting only in an individual or household context. 

Like the CCPA and other state mandated data protection legislation there are some exemptions.

  1. State and local governmental entities
  2. Entities that are already subject to federal laws such as HIPAA and GLBA
  3. Data categories already protected by federal laws such as HIPAA, Children’s Online Privacy Protection Act (COPPA) etc.

 

Rights Allotted Virginia Citizens

Like the CCPA and similar state laws, VCDPA gives Virginia consumers more control over their data and what is done with it.  Virginia citizens will have the following rights concerning controllers that process and/or store their data:

  • The right to confirm whether a controller is processing or obtaining access to their personal data
  • The right to correct inaccuracies of their personal data
  • The right to request the deletion of their personal data
  • The right to request a copy of their personal data in a portable and usable format
  • The right to opt out of data collection and data processing involving certain circumstances such as targeted advertising or the selling of personal data

A business must respond to any of these requests within 45 days of receipt, although they can request a 45-day extension when reasonably necessary.  Businesses must also provide consumers a means to appeal should the organization fail to act on a request within the required time window.

 

Business Responsibilities

Under VCDPA, controllers are required to disclose if they process personal data for direct marketing or sell it to data brokers.  They must also limit the collection of personal data to what is adequate and reasonably necessary for the purpose for which the data is processed or hosted.

As other data protection laws, VCPDA is about more than data transparency.  Organizations that fall under VCPDA’s jurisdiction must conduct periodic data protection assessments in order to evaluate the risks associated with the processing and hosting of personal and sensitive data.  This is similar to that of GDPR although Virginia’s version as of yet does not specify a frequency or time window when it comes to these assessments. 

Under VCDPA, private citizens do not have a right to take action themselves concerning VCDPA violations.  This right is reserved for the state Attorney General who can impose a civil penalty of up to $7,500 per violation.

 

How HALOCK can help

While your business may not be located in Virginia, like CCPA and other data protection laws, your company may still fall under its jurisdiction.  Other states are following suit as well including Washington, Colorado, Connecticut, and Minnesota.  All of this is makes being in compliance more complicated and confusing.  That’s why businesses today need a partner that is well versed in the growing web of compliance regulations.  Our teams of cybersecurity and legal experts understand the details and challenges of these regulations and can help you create a strategy in order to ensure compliance.  We can also provide the required risk assessments to identify vulnerabilities and determine the right sized security solutions to satisfy your duty of care obligations.  No matter where you are located, HALOCK can help. Review your data privacy posture.