Virginia Consumer Data Privacy Act

What is the Virginia Consumer Data Privacy Act?

Virginia Consumer Data Privacy Act (VCDPA) provides consumers with specific rights related to their personal data. To guarantee these rights, the law simultaneously places stringent legal obligations on covered businesses that collect personal information from Virginia residents. Specifically, the Virginia Consumer Data Privacy Act requires that businesses:

• Limit data collection. The VCDPA requires companies to minimize the collection of data to what is adequate, relevant, and reasonably necessary to achieve the processing purposes disclosed to consumers.
• Utilize proper data security procedures. Businesses must establish and maintain reasonable data security procedures and practices to ensure the confidentiality, transparency, and integrity of consumer data.
• Implement data processing agreements. The law requires that businesses enter into data processing agreements with their data processors. These contracts must include particular terms governing the data processor’s processing procedures undertaken on behalf of another business.
• Provide a privacy notice. Under the VCDPA, companies must have a privacy notice that is clear and accessible to all consumers. There are specific standards that this privacy notice must meet, and your attorney can provide further guidance on this.
• Give notice of sale. Any business that sells personal data to third parties must clearly and conspicuously disclose this to consumers and provide the opportunity for consumers to exercise their opt out right.
• Perform a consumer protection assessment. Companies must conduct – and document – a comprehensive data protection assessment to determine the risk and benefits of specific processing activities.