The Virginia Consumer Data Protection Act (VCDPA), which came into force on 1 January 2023, grants consumers significant rights over their personal data. This regulation represents a significant milestone in the United States' data privacy legislation, and if your business or organization falls under its scope, you’ll need to understand the ins and outs of the VCDPA in order to stay compliant.

This article is your guide to understanding the VCDPA and its implications for businesses. We'll delve into the core principles and scope, break down the jargon, and clarify the requirements, offering practical insights to help you take steps to become and stay compliant.

The Virginia Consumer Data Protection Act in a nutshell

Since the US doesn’t have a federal privacy law, the VCDPA is a state-level law that sets the rules for data protection when it comes to handling the personal and sensitive information of Virginia’s residents.

Here’s what businesses need to know about the VCDPA:

  • Control is king: Consumers get to decide who gets access to their personal and sensitive data and what they can do with it.
  • It's all about transparency: The VCDPA expects you to be clear about what data you're collecting, how you're using it, and who you're sharing it with. If you want to be compliant, it’s time to lay your cards on the table.
  • Virginia's rules apply: If you're doing business in Virginia or catering to Virginians, the VCDPA should be on your radar. Whether you're a local hero or a global player, if you meet the requirements, you've got to play by Virginia's data privacy rules. More about VCDPA’s scope is below.
  • No need for consent, except...: You don't need to ask for consumer consent every time you handle personal data. But sensitive data is a different story! That requires an explicit nod from the consumer. So, play it safe and get permission when you're dealing with the juicy stuff.
  • Big Brother is watching! The Virginia Attorney General is the VCDPA's enforcer. If you are in violation of VCDPA’s rules, you will be hearing from them. Luckily, there’s usually a 30-day grace period to fix your slip-ups. More about VCDPA penalties is below.

Now, let’s look at VCDPA a little closer.

Understanding VCDPA’s purpose

At its heart, the VCDPA aims to give consumers more control over what happens with their personal data, protecting their right to privacy. It sets clear rules for businesses on how they collect, use, and share this precious data.

The VCDPA aims to empower individuals and foster trust between businesses and their customers in the digital age, where hackers are rampant, and data privacy has become paramount for everyone's peace of mind.

Simply put, the VCDPA's purpose is to create a safer and more transparent digital landscape for everyone involved.

Scope: Who does the VCDPA apply to? 

Next, let's figure out if your organization falls under VCDPA’s umbrella, making its rules apply to you.

All you need to do is answer these two questions:

Does your business conduct its affairs in Virginia, or are you targeting the folks who reside there with your products or services?

Do you also handle the personal data of at least 100,000 consumers during a calendar year or collect data from 25,000 or more consumers, and more than 50% of your earnings are from selling this personal data?

If you answered YES to both, then congratulations, you’re in!

But wait, not everyone's riding into this data privacy rodeo. Financial institutions under the Gramm-Leach-Bliley Act, healthcare organizations abiding by HIPAA, non-profits, higher education institutions – they're all exempt.

Definitions of the VCDPA: Deciphering the data lingo 

Let's break down some of the key terms you'll come across in VCDPA. These may not be defined the same in other states’ privacy acts, so it’s important to pay close attention.

  • Personal data: This is the obvious star of the VCDPA show. It's basically any information that's tied to a living, breathing person. Think names, emails, addresses – the usual suspects. De-identified data and information that's publicly available aren't considered personal data.
  • Sensitive data: If personal data is the star of the show, sensitive data is like the VIP section. It includes data about children under 13, health and biometric info, geolocation data, and personal details like race, religion, or sexual orientation. Handling this data requires extra care under the VCDPA.
  • Sale: According to VCDPA, a "sale" is when you exchange personal data for monetary consideration with a third party.
  • Processing: This is a broad term that covers any action taken with consumers’ personal data – collecting, using, storing, sharing, and even deleting it.
  • Thresholds: Remember, it's not just about having data; it's about how much of it you've got. The VCDPA sets specific thresholds to determine if the regulation applies to an organization or not. So, knowing how much data you're dealing with is crucial to understanding whether or not you fall under the scope of the VCDPA.

Consumer rights under the VCDPA

Here are the rights that consumers are being granted under the VCDPA:

Confirmation and access: Your users have the right to know if you've got their personal data on file and what that data is. This could be basic things like their name and email, but also maybe their purchase history and other specifics. So, if “Bob” asks, you need to spill the beans.

Correction: If Bob spots a typo or something that doesn't sit right in his data, he can ask you to correct it. So, if his name's misspelled as "Bbo", you'd better fix that.

Deletion: Bob can also ask you to delete the data you were provided by him or that you collected about him.

Portability: If Bob decides to move on to another service, he can ask you for his data in a format that's easy to take with him.

No to targeting: Your users, like Bob, can say "No" to targeted ads and data profiling. Imagine Bob's been browsing for hiking boots on your website, and suddenly, he's seeing hiking ads everywhere he goes online. Well, he can opt out of this tracking and stop those ads from following him.

No to sales: If your consumer doesn’t want you to sell their data, they have the right to opt out. Remember to give them the choice to do so.

Sensitive data: Remember that sensitive data we talked about earlier? For that type of information, like health records or the consumer’s exact location, you can't obtain or process it without their explicit and unambiguous consent.

VCDPA compliance: Your to-do list

The VCDPA lays out some ground rules to protect your consumers’ data, and you'll want to follow them to the T. Here’s a checklist that can help you start your journey to compliance:

Privacy notices: First up, you need to have a clear privacy notice that is easily accessible on your website. This is your way of telling your users what data you're collecting, why you're collecting it, and who you're sharing it with.

Data protection: Set up robust security practices within your company to make sure the data you collect and control doesn't fall into the wrong hands. You can assess your information security management system against guidelines such as the international standard ISO 27001 to get an idea of areas you may need to work on.

Consumer requests: Set up a process for consumers to be able to submit requests to practice their rights. Respond to these requests within 45 days and give consumers a way to appeal if they're not happy with your response.

Contracts with processors: Make sure you have a contract with any 3rd parties that process the data that your company collects. The contract has to include instructions for processing data, the purpose of data processing, and the details of the processing.

Data security Assessments: A data protection assessment under VCDPA is an evaluation conducted to assess the potential benefits to the business and the risks to consumers associated with the processing of consumer data. Safeguards to reduce these risks should be part of the assessment. You must conduct assessments if you are a data controller and you:

  • sell personal data,
  • process personal data for the purposes of targeted advertising or profiling, or
  • process sensitive data. 

Data protection assessments are not for internal use only. The Virginia attorney general can request that a business or organization disclose relevant data protection assessments as part of an investigation.

In order for your organization to stay on top of the regulations it is subject to, it’s also a good idea to take some extra steps to protect consumer data that you collect or process.

For example:

  • Training: Educate your employees about data security in general and the VCDPA’s requirements specifically. Knowledge is power, and it helps everyone stay on the same page. Human error is very common, so you’ll want to minimize any oversights.
  • Regular audits: Protection from data loss isn’t a one-and-done deal. You’ll want to audit your data security practices periodically, conduct gap analyses, and update processes that prove insufficient.
  • Stay updated: Keep an eye on updates and changes to the VCDPA. The data privacy landscape can shift, and you want to stay ahead of the curve.

Remember, compliance is not just a legal obligation; it's a way to build trust with your users, so your attention to data security should be 100% laser-sharp.

VCDPA enforcement: Consequences and fines

Virginia isn't messing around when it comes to data privacy, so here's the lowdown on enforcement:

The Virginia Attorney General is the sole entity responsible for making sure everyone follows VCDPA’s regulations. If they find your business isn’t compliant, you could face fines up to a hefty USD7,500 per violation. But there’s ray of hope – the Attorney General will first give a written notice specifying the provisions that are being violated, and you have a 30-day cure period to make things right.

How Safetica can help you comply with VCDPA

Now that you've delved into the depths of the VCDPA, you're well aware of the importance of data protection and compliance. It's not just about following the rules; it's about earning trust and securing your business's future.

Safetica’s Data Loss Prevention (DLP) software can be your trusty sidekick in this quest for compliance and data security. With Safetica, you can:

  • Monitor data: Keep a vigilant eye on how data moves within your organization, spotting potential risks before they become breaches.
  • Get a heads-up: Get real-time alerts that help in detecting potential data breaches and respond promptly to incidents.
  • Prevent data leaks: Effectively protect sensitive information with data encryption and access controls.
  • Analyse risks: Privacy impact assessments can be conducted efficiently with Safetica's data monitoring and analysis capabilities.
  • Insider threats: Insider threat detection features help identify and prevent potential internal risks.

    It's time to fortify your defenses and keep your data safe. Explore Safetica's DLP software today. Let's make your data security rock-solid!

    Let's discuss your VCDPA compliance

    Next articles

    SAMA’s Cyber Security Framework: The Scope, Purpose, and How to Comply

    The Saudi Arabian Monetary Authority (SAMA) has introduced a Cyber Security Framework designed to fortify the nation's financial systems and critical industries against cyber threats. Throughout this guide, we'll explore the key components, while also providing tips and insights on how to achieve compliance with its requirements.

    HITRUST framework: The Scope, Purpose, and How to Comply

    This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.

    Understanding SOC 2: The Scope, Purpose, and How to Comply

    Get started with your SOC 2 compliance efforts: what SOC 2 is, why it matters, and, most importantly, what steps you need to take if you want to get a SOC 2 report for your organization.