What is the Virginia Consumer Data Privacy Act?
The Virginia Consumer Data Privacy Act (VCDPA) provides consumers with specific rights related to their personal data. To guarantee these rights, the law simultaneously places stringent legal obligations on covered businesses that collect personal information from Virginia residents. Specifically, the Virginia Consumer Data Privacy Act requires that businesses:
- Limit data collection. The VCDPA requires companies to minimize the collection of data to what is adequate, relevant, and reasonably necessary to achieve the processing purposes disclosed to consumers.
- Utilize proper data security procedures. Businesses must establish and maintain reasonable data security procedures and practices to ensure the confidentiality, transparency, and integrity of consumer data.
- Implement data processing agreements. The law requires that businesses enter into data processing agreements with their data processors. These contracts must include particular terms governing the data processor’s processing procedures undertaken on behalf of another business.
- Provide a privacy notice. Under the VCDPA, companies must have a privacy notice that is clear and accessible to all consumers. There are specific standards that this privacy notice must meet, and your attorney can provide further guidance on this.
- Give notice of sale. Any business that sells personal data to third parties must clearly and conspicuously disclose this to consumers and provide the opportunity for consumers to exercise their opt out right.
- Perform a consumer protection assessment. Companies must conduct – and document – a comprehensive data protection assessment to determine the risk and benefits of specific processing activities.
Who Must Comply With the VCDPA?
The VCDPA applies to all companies that market goods and services to residents of the state and that (1) control or process personal data of at least 100,000 Virginia consumers during a calendar year, or (2) control or process personal data of at least 25,000 Virginia consumers and derive more than 50 percent of gross revenue from selling personal data. Noncompliance will put your business at risk for legal penalties and lofty fines.
If your company is subject to the Virginia Consumer Data Privacy Act, it is essential that you implement and maintain compliance procedures that align with the requirements established by this law. Noncompliance with the VCDPA can result in financial penalties of up to $7,500 per violation. We will work alongside your team to help your business achieve compliance with the VCDPA and mitigate the risk of costly legal enforcement actions.
The compliance procedures you utilize in your business operations are key. By reviewing your current data collection and processing protocols, updating your private policy, and establishing a procedure for handling consumer requests and appeals, we can help assess your compliance status and provide guidance on necessary next steps.
Questions about the Virginia Consumer Data Privacy Act or other data privacy laws? We can help. Let’s chat.