The Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023, positions Virginia as a leader in consumer data protection in the United States, closely following the lead of California with its own comprehensive data protection law. Designed to protect personal data, the VCDPA gives Virginia residents specific rights while imposing obligations on businesses that collect and process such data.
Which businesses need to comply with the VCDPA?
Organizations that conduct business in the Commonwealth or produce products or services targeted to residents of Virginia and control or process personal data of at least 100,000 consumers, or control or process personal data of at least 25,000 consumers and derive more than 50 percent of gross revenues from the sale of personal data.
What is the VCDPA about?
- Consumer Rights: Virginia consumers have the right to access, correct, and delete their data and to opt out of the sale or processing of their personal data for targeted advertising or profiling purposes.
- Clear privacy notices: Organizations need to create easy-to-understand privacy notices that explain their data handling practices.
- Affirmative Consent: Organizations must obtain affirmative consent from consumers before collecting, storing, processing, or disclosing certain types of personal data – e. g. sensitive data.
- Data Protection Assessments: Organizations should conduct a data protection assessment for processing activities involving the processing of personal data for purposes of targeted advertising, the sale of personal data or the processing of sensitive data.
Impact for businesses
- Implementing data protection measures: Organizations must implement reasonable security practices to protect personal data, limit data collection to what is necessary for specified purposes, and ensure data security.
- Addressing consumer requests: Companies must respond to consumer requests for their personal data within 45 days, with a possible extension if necessary. An appeals process for denied requests is also mandated, adding a layer of administrative responsibility for businesses.