Privacy Law Update: Virginia’s Consumer Data Protection Act – Final
Written by Rick Buck, Chief Privacy Officer, WireWheel
From a privacy perspective, 2021 is getting off to a quick start in the United States. Baseline privacy bills are currently pending in at least 13 state legislatures. On March 2, 2021, Virginia Governor Northam signed into law H.B. 2307, the Virginia Consumer Data Protection Act (VCDPA) making them the first state to pass a comprehensive privacy law in 2021.
The VCDPA resembles GDPR, CCPA and is nearly identical to the Washington Privacy Act. It requires opt-in consent for the processing of sensitive data and incompatible secondary uses, Data Protection Assessments, and compliance with consumer rights – access, deletion, correction, portability, and opt-outs of sale, targeted ads, and profiling
Effective January 1, 2023, the VCDPA will apply to:
- Companies that do business in Virginia or that target their products or services to Virginia residents and that
- Control or process “personal data” relating to at least 100,000 Virginia residents during a calendar year
- Personal data that relates to individuals who are residents of Virginia to the extent that those individuals are acting in “an individual or household context,” but not to the extent that the individuals are acting in “a commercial or employment context.”
VCDPA provides rights to Virginia residents (consumers) to:
- Confirm whether if a controller is processing their personal data and access to that data
- Correct inaccuracies in their personal data
Delete their personal data provided by or obtained about the consumer
- Obtain a copy of their personal data in a portable, readily usable format
- Opt-out of the processing of their personal data for purposes of sale, targeted advertising, or profiling decisions
Unlike the CCPA, the VCDPA
- Has a 30-day cure period
- Requires that a controller create a process for a Virginia resident to appeal the controller’s refusal to take action on such a request
- More clearly articulates the distinction between a “controller” and a “processor”
- Requires that controllers conduct and document “data protection assessments” regarding certain activities (e.g., the processing of sensitive data).
- Has exemptions for:
- Financial institutions
- HIPAA covered entities and business associates
- Higher education institutions
VCDPA will be enforced by The Virginia Attorney General’s office.
- Violations have a 30-day notification period to allow the controller or processor the opportunity to cure the violation
- Uncured violations are subject to action seeking $7,500 per violation
- Does not include a private right action
While Virginia is the first state to enact a data privacy law in 2021, it won’t be the last. Complying with this law (as currently written) will in many ways be consistent with what you are doing in California and the European Union. If you’ve mapped to those requirements, you are pointed in the right direction to comply with VCDPA. There is however still work to be done including: updating your policies, vendor agreements, subject request mechanisms, and re-assessing your products, systems, and services. The WireWheel platform is built with the flexibility to accommodate these changes with ease and efficiency.
Suggested Blog Posts
Crafting Better Privacy Laws, Based on the California Model: A Conversation with Alastair Mactaggart
Spokes 2021: Day Two Keynote Session with Alastair MactaggartOn the second day of the WireWheel Spokes 2021...
Written by Ed Sealover, Denver Business JournalGov. Jared Polis finished off a monthlong bill-signing tour over the...
Colorado Passes a Data Privacy Law Law would be effective on July 1, 2023Written by Rick Buck, Chief Privacy Officer,...
Today… and into the futureWritten by Rick Buck, Chief Privacy Officer, WireWheelAfter new privacy laws passed within...
Written by Guest blogger: David Stauss, partner at Husch Blackwell LLPWith the passage of the California Privacy...