Did Your Company Assess its Data Collection Practices and Update Its Privacy Policy on January 1, 2023 to Comply with Virginia’s Consumer Data Protection Law?
The Commonwealth of Virginia passed its comprehensive Virginia Consumer Data Protection Act on March 2, 2021. Virginia generously allowed nearly two years for companies that are subject to the VDCPA to assess its data collection and processing practices, and among other things, draft Privacy Policies compliant with the new law’s requirements. The VDCPA took effect on January 1, 2023. If your company is subject to the VDCPA, and did not assess its data collection and processing practices or revise its Privacy Policy to comply as of January 1, 2023, now is the time to do it.
Who Is Subject to the VDCPA?
The VDCPA applies to companies that do business in Virginia, or that produce products or services targeted to residents of Virginia. Specifically, the VDCPA applies to companies that either “control” or “process” the personal data of at least 100,000 consumers from Virginia, or “control” or “process” personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.
The VDCPA does not apply to government entities, non-profit organizations, higher education institutions, or healthcare and financial institutions that are subject to other federal privacy laws such as HIPAA or the Graham-Leach-Bliley Act.
What is “Personal Data”?
Like “personal information” in many other jurisdictions, “personal data” is any information that is linked, or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data, or publicly available information.
The VDCPA also defines “sensitive data” as information collected from known children under the age of 13, genetic or biometric data if processed to identify individuals, geolocation data precise to within a radius of 1,750 feet, citizenship or immigration status, racial or ethnic origin, religious beliefs, sexual orientation or activities, or mental or physical health diagnoses.
What Do “Control” and “Process” Mean?
“Controlling” means a person or entity that determines the purpose and means of processing personal data.
“Processing” means any operation performed, whether manually or using automated means, on personal data. This includes collecting, storing, disclosing to other persons, analyzing, deleting or modifying personal data.
Simply put, a “controller” is a person or company that determines how data will be collected, stored, disclosed, shared, analyzed, deleted or modified. The “processor” is the entity that actually stores, discloses, analyzes, deletes or modifies that data.
What Does the VDCPA Require Businesses to Do?
The VDCPA requires covered entities to be transparent about their use of personal data, and to offer consumers control over their personal data. Virginia residents have the following specific rights:
- Right of Access: Virginia residents have the right to confirm whether businesses are processing their personal data, and the right to access that information.
- Right of Correction: Virginia residents have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of processing.
- Right of Deletion: Virginia residents have the right to delete the personal data they have provided, or that the entity has collected from them. Unlike in other jurisdictions, there are no exceptions to this right of deletion in Virginia.
- Right of Portability: Virginia residents have the right to obtain a copy of the personal data that was previously provided in a portable and readily usable format that can be transmitted to another business, where the processing is carried out by automated means, if it is technically feasible to do so.
- Right to Opt Out: Virginia residents have the right to opt out of (i) targeted advertising; (ii) the sale of their personal data and (iii) any profiling using the data that might produce legal or similarly significant effects.
The VDCPA prohibits covered entities from processing any “sensitive data” without first obtaining the consumer’s consent. Consent must be provided by a clear affirmative act, signifying the consumer’s freely given, specific, informed and unambiguous agreement.
Finally, the VDCPA requires data controllers to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that includes the categories of personal data the controller processes and the purpose for processing that data, how consumers may exercise the rights outlined above, the categories of any personal data shared with third parties, if any, and the categories of third parties, if any, with which the controller shares personal data. Any privacy notice must also clearly include at least one or more secure and reliable means for consumers to submit requests to exercise their rights under the VDCPA.
What Are the Penalties for Violating the VDCPA?
The VDCPA affords Virginia’s attorney general the sole enforcement rights over VDCPA violations. Virginia’s attorney general can impose civil penalties of up to $7,500 per violation for each violation of the VDCPA. Before any such penalties are imposed, the Virginia attorney general must provide companies with 30-days notice of a violation and an opportunity to cure, which means to correct issues that led to the violation.
Because the Virginia law is nearly as comprehensive as California’s Consumer Privacy Act, companies that comply with California’s stringent requirements likely comply with the VDCPA. However, because of the nuances of the Virginia law, it is important to assess compliance with the VDCPA specifically. Companies that may be covered under the VDCPA, but have yet to assess their compliance with the VDCPA, or bring their Privacy Policies up to date with Virginia-specific language, should do so now.
