Virginia Consumer Data Privacy Act
Consumers and regulators are more focused than ever on the data privacy and security processes of businesses that collect sensitive consumer data. As such, businesses are facing new demands related to consumer data protection. In 2021, Virginia became the second state to enact a consumer privacy law. Titled the Virginia Consumer Data Privacy Act, this legislation is now one of the most comprehensive privacy laws governing how companies collect, use, store, and share the data of consumers at the state level.
What is the Virginia Consumer Data Privacy Act?
The Virginia Consumer Data Privacy Act (VCDPA) provides consumers with specific rights related to their personal data. To guarantee these rights, the law simultaneously places stringent legal obligations on covered businesses that collect personal information from Virginia residents. Specifically, the Virginia Consumer Data Privacy Act requires that businesses:
- Limit data collection. The VCDPA requires companies to minimize the collection of data to what is adequate, relevant, and reasonably necessary to achieve the processing purposes disclosed to consumers.
- Utilize proper data security procedures. Businesses must establish and maintain reasonable data security procedures and practices to ensure the confidentiality, transparency, and integrity of consumer data.
- Implement data processing agreements. The law requires that businesses enter into data processing agreements with their data processors. These contracts must include particular terms governing the data processor’s processing procedures undertaken on behalf of another business.
- Provide a privacy notice. Under the VCDPA, companies must have a privacy notice that is clear and accessible to all consumers. There are specific standards that this privacy notice must meet, and your attorney can provide further guidance on this.
- Give notice of sale. Any business that sells personal data to third parties must clearly and conspicuously disclose this to consumers and provide the opportunity for consumers to exercise their opt out right.
- Perform a consumer protection assessment. Companies must conduct – and document – a comprehensive data protection assessment to determine the risk and benefits of specific processing activities.
Who Must Comply With the VCDPA?
The VCDPA applies to all companies that market goods and services to residents of the state and that (1) control or process personal data of at least 100,000 Virginia consumers during a calendar year, or (2) control or process personal data of at least 25,000 Virginia consumers and derive more than 50 percent of gross revenue from selling personal data. Noncompliance will put your business at risk for legal penalties and lofty fines.
Achieving Compliance
If your company is subject to the Virginia Consumer Data Privacy Act, it is essential that you implement and maintain compliance procedures that align with the requirements established by this law. Noncompliance with the VCDPA can result in financial penalties of up to $7,500 per violation. We will work alongside your team to help your business achieve compliance with the VCDPA and mitigate the risk of costly legal enforcement actions.
The compliance procedures you utilize in your business operations are key. By reviewing your current data collection and processing protocols, updating your private policy, and establishing a procedure for handling consumer requests and appeals, we can help assess your compliance status and provide guidance on necessary next steps.
Questions about the Virginia Consumer Data Privacy Act or other data privacy laws? We can help. Let’s chat.