Connect with us

Tips & Tricks

Preparing for the Virginia Consumer Data Protection Act (VCDPA)

Published

on

Virginia Consumer Data Protection Act (VCDPA)


While the United States does not have a federal privacy law (unless you are in healthcare, financial services, or are targeting children under the age of 13), more and more states are passing their own privacy laws to protect their residents.

One such state is Virginia, which passed the Virginia Consumer Data Protection Act (VCDPA) in 2021. While this law goes into effect on January 1st, 2023, companies that need to comply should begin their preparations now as the requirements of this new law are extensive, and the penalties for failure to comply are steep.

In this article, we will discuss who the VCDPA applies to, the consumer privacy rights that the law provides to the residents of Virginia, VCDPA’s Privacy Policy requirement, and penalties for failure to comply. We will also provide you with some tips on how you can prepare for this new privacy law if it applies to you.

Who Needs to Comply With the VCDPA?

Privacy laws are passed to protect individuals, not businesses, and thus have a very broad reach and can apply to businesses outside of the state or country in which they are passed. The VCDPA is no exception and applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents and that meet one or more of the following criteria:

  • During a calendar year, control or process the personal data of at least 100,000 residents of Virginia; or
  • Control or process the personal data of at least 25,000 residents of Virginia and derive 50% or more of gross revenue from the sale of personal data.

If you meet the criteria above, the VCDPA applies to you, and you need to ensure that you are in compliance with this law before it goes into effect.

What Privacy Rights Does the VCDPA Provide?

The purpose of privacy laws is to protect the privacy of individuals. This is usually achieved by providing individuals with privacy rights. VCDPA provides the following privacy rights to residents of Virginia:

  • The right to confirm whether their personal data is being processed and to access such personal data;
  • The right to correct inaccuracies in their personal data;
  • The right to delete their personal data;
  • The right to opt-out of the use of their personal data for the purpose of targeted advertising;
  • The right to say no to the sale of their personal data;
  • The right to opt-out of the use of their personal data for the purposes of profiling;
  • The right to equal service and price, even if the individual exercises their privacy rights;
  • The right to request their personal data in a portable and, to the extent feasible, readily usable format that allows the individual to transmit that data to another entity.

It is important to note here that the VCDPA requires businesses to respond to individuals that have requested to exercise their privacy rights within 45 days of receipt of the request.

In addition, a unique feature of the VCDPA is that it allows residents of Virginia to file an appeal if they receive an unsatisfactory response from the business. This means businesses responding to such a request should be able to demonstrate how they arrived at their response and explain to the individual the reasoning behind their response.

If the VCDPA applies to you, you should be prepared for privacy rights requests by determining what data you collect, where you store it, and who you share it with. Businesses should also prepare procedures that include instructions that employees should follow to process and respond to privacy rights requests.

Lastly, agencies that work with clients that need to comply with the VCDPA should be aware of the fact that their clients may ask them for help with responding to privacy rights requests as clients do not always know how to access the data that their website collects or how to correct that data or delete it.

To help with this process, agencies should familiarize themselves with their obligations under the contracts with their clients when it comes to data privacy and should ensure that they fully understand where the website keeps personal data and how that data can be corrected, deleted, or accessed.

The VCDPA Privacy Policy Requirement

If the VCDPA applies to you, you will also need to have a Privacy Policy on your website that makes the following disclosures:

  • The categories of personal data that you process;
  • The purposes of processing that personal data;
  • How individuals can exercise their privacy rights under the law and how they can appeal your responses to their requests;
  • The categories of personal data that you share with third parties;
  • Whether you sell personal data or process it for the purpose of targeted advertising and how individuals can opt-out of such uses or sales;
  • How individuals can exercise their privacy rights.

If the VCDPA does apply to you, it is important that your website contains the above disclosures prior to the law’s effective date to ensure compliance.

Processor Obligations

The VCDPA is similar to another privacy law, the European Union’s General Data Protection Regulation (GDPR) in the sense that it splits data stewards into two categories – processors and controllers.

A controller is a natural or legal entity that determines the purposes and means of processing personal data. On the other hand, a processor is a natural or legal entity that processes personal data on behalf of the controller. If you are an agency, chances are that you will probably be the processor in relation to your client.

If you are a processor of data as defined by this law, you must ensure that you have a clear contract with your client that spells out your obligations and provides the instructions regarding your processing of this data.

As a processor, you will have to follow the client’s instructions and will need to help them comply with their obligations under this law by, for example, securely processing the personal data and providing the client with the necessary information to complete a Data Protection Assessment if they do need to complete one.

In addition, you will also have to comply with requests to delete or return data and provide the client with sufficient information to be able to demonstrate their compliance with the law.

Enforcement

The VCDPA will become effective on January 1, 2023. At this time, the Virginia Attorney General will be able to enforce the law and apply penalties for violations. Penalties can be up to $7,500 per violation.

In this case, “per violation” means per website visitor whose privacy rights you infringed upon so these penalties can add up quickly into a very large sum. Thus, if the law applies to you, the time to start preparing is now!

Please note that the information provided in this article is provided for informational purposes only and should not be considered legal advice. Please consult with an attorney for help with your specific legal needs.



Source link

Continue Reading
Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.