Virginia’s new Consumer Data Protection Act (“VCDPA”) was signed into law on March 2, 2021 and took effect on January 1, 2023. The VCDPA has a major impact on covered businesses and the time to educate yourself for the sake of your business is now.
What businesses does the VCDPA apply to?
The VCDPA applies to businesses that either:
- Conduct business in Virginia, or
- Produce products or services that are targeted to residents of Virginia and that, during a calendar year:
- Control or process personal data of at least 100,000 consumers; or
- Control or process personal data of at least 25,000 consumers and derive over 50% of its gross revenue from the sale of personal data.
Who is exempt from the VCDPA?
The VCDPA exempts:
- Any “body, authority, board, bureau, commission, district, or agency” of Virginia or any of its political subdivisions.
- Financial or data institutions subject to the federal Gramm-Leach-Bliley Act.
- Covered entities or business associates governed by HIPAA or the HITECH Act.
- Nonprofit organizations.
- Institutions of higher education.
Who does the VCDPA protect?
The VCDPA is designed to protect consumers in an individual or household context. The VCDPA does not include a person acting in a commercial or employment context.
What types of data does the VCDPA include?
- Personal data: any information that is linked or reasonably linkable to an identified or identifiable person. This does not include de-identified data or publicly available information.
- Sensitive data: this is a category of personal data that includes one of the following:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
- The personal data collected from a known child.
- Precise geolocation data.
- Biometric Data: data generated by automatic measurements of an individual’s biological characteristics (i.e. fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual). This does not include a physical or digital photograph, a video or audio recording (or data generated therefrom), or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.
What rights do consumers have under the VCDPA?
The VCDPA provides consumers with certain rights, such as the right to:
- Confirm whether a business is processing the consumer’s personal data.
- Correct inaccuracies in the consumer’s personal data.
- Delete personal data provided by or obtained about the consumer.
- Obtain access to and a copy of the consumer’s personal data.
- Opt-out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
What are covered businesses required to do under the VCDPA?
- Notice. Businesses must provide consumers with an accessible, clear, and meaningful privacy notice which tells them:
- What personal data is collected.
- The purpose for the processing of personal data.
- The categories of personal data shared with third parties.
- The categories of third parties with whom the controller shares personal data.
- How consumer’s may exercise their personal rights under the VCDPA.
- Disclosures. A business must disclose its intent to sell data to third parties or to process personal data for targeted advertising and must explain how the consumer can opt out.
- Limits data collection. The VCDPA limits personal data collection to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed, unless consent is obtained from the consumer.
- Security. The VCDPA requires businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the personal data. Businesses are also required to conduct data protection assessments on certain processing activities involving personal data. The VCDPA emphasizes reasonableness, thus, the security practices should be appropriate to the volume and nature of the personal data at issue.
- Anti-Discrimination. The VCDPA prohibits businesses from discriminating against consumers for exercising any of their rights under the Act. For example, a business cannot deny a consumer goods or services, charge different prices/rates, or provide a different quality of goods or services to a consumer because he or she chose to opt out of the processing of personal data or correct an inaccuracy in personal data.
What are the requirements of businesses if they receive a consumer request?
- Initial Request. Covered businesses must establish and describe in a privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their rights. Once a consumer submits a request, businesses have 45 days to respond, which may be extended for an additional 45 days when reasonably necessary, provided the controller informs the consumer of the extension and the reason therefor within the initial 45-day period.
- Appeals. If the business declines to take action, it must inform the consumer of its justification and instructions on how to appeal the decision. Within 60 days of receipt of an appeal, a business must inform the consumer, in writing, of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller must also provide the consumer with information on how the consumer can submit a complaint to the Attorney General.
- Costs. Any information provided by a business to a consumer in response to a consumer request must be provided free of charge, up to twice annually per consumer. However, if requests from a consumer are “manifestly unfounded, excessive, or repetitive,” the business may decline to act on the request or charge the consumer a reasonable fee to cover the administrative costs of complying with the request.
How is the VCDPA enforced?
The VCDPA provides no private right of action – the Virginia Attorney General has exclusive enforcement authority. Violators are allowed a 30-day cure period to correct violations.
What are the penalties for violations of the VCDPA?
Penalties include injunctive relief and fines of up to $7,500 for each violation.
What can businesses do to ensure compliance with the VCDPA?
- Inventory Data. Covered businesses need to take a careful look at the data they are collecting and the purpose for collecting. Businesses should keep in the mind the VCDPA’s emphasis on reasonableness and ask themselves if the type and amount of data collected and the purpose for collecting is reasonable.
- Notices. As detailed above, the VCDPA requires businesses to provide consumers with an accessible, clear, and meaningful privacy notice regarding the collection of data and how they can exercise those rights. An accurate and up-to-date privacy notice is vital in a business’ compliance with the VCDPA.
- Procedure. Businesses should have clear policies and procedures outlined for how they will respond to consumer requests pursuant to the VCDPA.
- Consent. Every business should have a procedure for obtaining consent from consumers for the processing of certain personal or sensitive data.
- Update Data Security. Businesses should ensure that their current security policies adequately protect personal data and comply with the VCDPA. The Attorney General can, pursuant to a civil investigation, require a business to disclose any data protection assessments and review same for compliance.
- Third Party Agreements. Third parties with access to a consumers’ personal data are also subject to the VCDPA. Thus, a covered entity that engages these third parties needs to ensure the third party is aware of its obligations. Agreements between the covered entity and third parties should detail these requirements.
The attorneys at Parks Zeigler are available to help you determine if the VCDPA applies to your business and, if so, the steps required to ensure your business is compliant. Contact us today at 888-691-9319 for a consultation, or fill out this short form now to get started right away.