Back
Virginia Consumer Data Protection Act Explained
two people standing outside a building with many security cameras.

What is the Virginia Consumer Data Protection Act?

In 2021, Virginia became the second U.S. state after California to enact a consumer data protection act, the Virginia Consumer Data Protection Act (VCDPA).


Like most modern privacy laws, the VCDPA is meant to provide consumers with comprehensive data privacy in a world where business models are becoming heavily reliant on data. To achieve this, it focuses on a few specific areas. 


Here's a breakdown of what that means and how it impacts businesses.


Highlights

  • The Virginia Consumer Data Protection Act (VCDPA) is a law enacted to provide Virginians with rights over how their personal data is used by businesses. Enforced from 2023, it applies to entities conducting business in Virginia or processing substantial amounts of Virginians' data.
  • The act ensures state residents can access, control, correct, and delete their personal data, and opt out of data processing for targeted advertising, the sale of data, or significant profiling.
  • Companies are obliged to conduct data assessments, respect consumer rights, minimize data collection, protect sensitive data, prevent discrimination, maintain security measures, manage third-party relationships, and be transparent.
  • Businesses should implement systems and procedures, such as those offered by iDox.ai, to manage data responsibly and comply with the VCDPA, ensuring partnerships and third-party processes align with the regulations.


The Consumer Perspective

The VCDPA's consumer rights are designed to protect consumers from unfair or deceptive business practices. Consumers are clearly defined as state residents acting on behalf of themselves or their households – notably excluding individuals acting on behalf of companies, such as employees.


The law's provisions for consumers include the right to know what information is being collected about them, the right to have their personal information protected, the right to access their personal information, and the right to control how their personal information is used. 


For instance, a shopper who frequents an online storefront can ask the site for a copy of the data it stores about them—or request that it be deleted entirely.


Consumers can also ask to opt out of having their data processed for targeted advertising, sale, or profiling. When covered users exercise their right to make requests under any of these provisions, covered businesses have to comply, which brings us to the next topic.


How the Law Impacts Businesses

According to the text of the VCDPA, its laws only apply to entities that:


  • Conduct business in the state, and
  • Control or process at least 100,000 consumers' personal data annually or at least 25,000 consumers' personal data if they make more than 50% of their gross revenue by selling such data.


Broadly speaking, businesses covered under the VCDPA are obligated to protect the consumer's personal data from misuse, unauthorized access, and disclosure. They're also responsible for providing accurate and complete information about their data collection and use practices, which includes supplying consumers with privacy policies.


We already mentioned that businesses have to comply with deletion requests and let consumers know what they're doing with their information. 


As with most new laws, however, some edge cases might catch companies off-guard, even though the legislation itself is fairly succinct:


  • The VCDPA includes exemptions for private data already covered by other laws. For instance, if you're a medical device manufacturer that keeps patient information as per the Family Educational Rights and Privacy Act (FERPA) or Health Insurance Portability and Accountability Act (HIPAA), you'll need to comply with those laws' consumer protection tenets instead. Carve-outs also apply to nonprofits, educational institutions, state government agencies, certain regulated financial institutions, and those who collect data covered under the Children's Online Privacy Protection Act (COPPA).
  • Information that can identify personal devices without identifying the people who own or use them may be exempt. It's not clear, however, whether these rules were meant to cover common technologies like tracking cookies.
  • Companies that want to collect and use information don't get to have a free-for-all. They have to limit such activities to what's reasonably necessary for their use case and only collect data pertaining to it. Since this is somewhat imprecise, it's worth implementing safeguards – like tools that automatically alert you when you might need to ask a consumer for their consent.
  • The VCDPA makes security measures essential, requiring businesses to maintain such practices to stay compliant. In other words, you can't just say you're operating in a responsible, secure manner: You need to be able to prove it if challenged.


What Companies Need to Do to Comply With the Virginia Consumer Data Protection Act

Here are some of the key requirements for companies covered by the VCDPA:


  1. Data Protection Assessment: Companies have to conduct data protection assessments of their processing activities, particularly for processing that presents a heightened risk of harm to consumers, such as processing personal data for targeted advertising, selling personal data, or processing sensitive data.
  2. Consumer Rights: The VCDPA grants various rights to the consumer as a data subject, including the right to access their personal data, correct inaccuracies, delete personal data, obtain a copy of their data in a portable format, and opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
  3. Data Minimization: Companies have to limit the collection of personal data to what is adequate, relevant, and necessary concerning the purposes for which the data is processed.
  4. Consent for Sensitive Data: Express consent is required to process sensitive data, which includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, biometric data for uniquely identifying a natural person, and personal data collected from a known child.
  5. Non-Discrimination: Companies are not allowed to discriminate against consumers for exercising their rights under the VCDPA.
  6. Security Practices: Organizations are required to establish and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  7. Third-Party Relationships: Companies need to ensure that their data processors are adhering to the VCDPA and have to enter into contracts that require processors to follow instructions, understand their duties and delete or return personal data upon the end of the service provided.
  8. Transparency: The VCDPA requires that companies provide a clear and meaningful privacy notice that includes the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of personal data that the company shares with third parties, and the categories of third parties that the company shares data with.
  9. Data Protection Officer (DPO): Although not explicitly required by the VCDPA, appointing a DPO can help organizations monitor compliance, manage data protection strategies, and act as a point of contact for data subjects and regulators.
  10. No Sell Provision: Companies are called upon to include a clear and conspicuous link on their homepage titled "Do Not Sell My Personal Data" if they sell personal data, allowing consumers to opt-out.


Frequently Asked Questions

Does the VCDPA Apply in a Commercial or Employment Context?

The VCDPA focuses on the rights of consumers regarding the processing of personal data by businesses, meaning that it applies to a commercial context. Employees notably aren’t covered by the VCDPA, and their rights are regulated by other personal data protection laws.


Does the Protection of Genetic or Biometric Data Fall Under the VCDPA?

Yes, the VCDPA classifies biometric data as a type of "sensitive data," which is afforded additional protection under the act.


How Does the VCDPA Discern Between a Processor and a Controller?

A controller is a legal or natural person who, alone or jointly with others, determines the purpose and means of processing personal data. The controller decides the extent to which the processor is allowed to process personal data relating to the organization’s purpose. Meanwhile, the processor is the person processing personal data on behalf of the controller.


The Final Takeaway for Covered Companies

Not knowing that your business practices might be covered under the VCDPA doesn't let you off the hook. If you operate in Virginia or serve consumers from the state, it's critical to have systems in place that help you toe the line. For instance, you might use software tools to find personally identifiable information in scanned documents and communications to make compliance easier.


One area where companies commonly trip up is when they work with third-party processors. Shifting the blame isn't a valid legal defense against a VCDPA claim. You're responsible for ensuring that your partners and business systems also comply with the rules.


iDox.ai makes it easier to protect your consumers and your enterprise. By using SOC 2-compliant, ISO 27001-certified AI technology to find personal information, redact documents, and keep you on top of your security stance, iDox.ai powers business practices that meet legal requirements with fewer operational burdens.


Reach out to iDox.ai today to learn how to keep your enterprise ready for the privacy-oriented legal landscape.

You Might Also Be Interested In