Written By Shuja Khan
Updated on June 07, 2022
Min Reading 3 Min
Consumers are more in control of their data and privacy today than ever before.
Protecting privacy and maintaining data security has become a common topic of discussion across the globe and is gaining momentum. Following California's CCPA, Virginia has also established a comprehensive data privacy legislation and will become the 2nd state in the United States with such a law in effect.
The then-Virginia Governor Ralph Northam, on March 2nd, 2021, passed the Virginia Consumer Data Protection Act (VCDPA), which gives consumers in Virginia the right to control the use of their data. Three amendments were suggested and signed into law by the new Virginia Governor Glenn Youngkin on April 11th, 2022. The bill's text was finalized and will become effective from January 2023.
In this article, we will walk you through everything that you need to know about the Virginia Consumer Data Protection Act (VCDPA). It will cover:
The Virginia Consumer Data Protection Act gives consumers the right to access and control their personal information that companies possess. The consumers will have the right to request access, correct inaccuracy, and delete their personal data that is held by businesses about them. Data Processing, according to the Act, includes everything that organizations do with the consumer’s data, which is in their control. That means according to the Act, organizations are responsible for the safety of consumers' personal data right from the time they collect the data till they safely delete or erase the data. Though not explicitly mentioned, It is important to note here that if an individual's personal data is compromised because an organization failed to completely erase it from their database, they'd be held liable.
The VCDPA refers to protecting the personal data of consumers in Virginia. The Act defines ‘Personal data’ as any information that can be reasonably associated with an identified or identifiable natural person. Data available in the public domain and anonymized data are outside the purview of the Act.
Under the Act, consumers in Virginia have rights similar to that of California CDPA and Europe's General Data Protection Regulation (GDPR).
It can be confusing to assess if the Virginia Consumer Data Protection Act is applicable to your organization or not. For clarification regarding the same, the Act clearly specifies which organizations are required to stay compliant. The Act is applicable to all organizations conducting business in Virginia or producing products and services for consumers in Virginia and if they:
The attorney general shall have the exclusive authority to enforce any violations of the Act post receiving consumer complaints against businesses. If found violating the Virginia Consumer Data Protection Act, businesses can be fined up to $7,500 for every violation, plus the attorney's charges. They'd also be liable to bear any other charges related to expenses incurred for the inspection, etc. if deemed fit by the office of the Attorney General. For example, if any business is found compromising the data privacy of 1000 individuals, then the penalty imposed shall be USD 7.5 Million.
The Act does not specify a checklist for compliance for businesses. However, it places 6 responsibilities on businesses that fall under its purview.
1. Businesses should have a privacy policy in place.
Organizations need to have a privacy policy in which they clearly state if they collect personal data, what data they collect, why they collect it, how is it stored and processed, and with whom it is shared.
2. Ensure consumer rights are exercised
The Act requires businesses to help consumers understand and exercise their rights if needed. For that, lay down the rights conferred to consumers by the Act in the privacy policy or another document. Guide consumers to help them enforce those rights by giving them information about opting out and letting them know they can revoke their consent to personal data collection.
3. Minimize the data collected
Much like the GDPR's data minimization principle, the VCDPA also requires organizations to collect minimum personal data. For example, if you want people to sign up for your newsletter, asking them for their first name and email address is enough. Their date of birth, father's name, or marital status is not needed here and should not be asked for and collected as such.
4. Take consent
While collecting data, especially about minors and some sensitive personal data, organizations need to take informed affirmation from consumers. Sensitive data here includes biometric information, credit card numbers, social security number, etc.
5. Conduct data protection assessments
When collecting personal data, organizations should assess the benefits and risks associated with collecting such data and the measures that can be taken to minimize those risks. This assessment has to be done for data collected on or after January 1st, 2023. During the risk assessment part, organizations also need to pay attention to how they will safeguard the data against spills and leakage at the end of a device's lifecycle or when the devices change hands.
6. Have security safeguards in place
All organizations are required to have cybersecurity measures in place to ensure that the consumer's personal data is protected from leaks and unauthorized access. It is safe to say that if organizations bear these responsibilities, they'd be able to stay compliant and avoid penalties.
With Virginia Consumer Data Protection Act set to be effective from January 2023, compliance is paramount for businesses. Among other things, data erasure can be an important aspect to consider.
The Virginia Data Privacy Law mentions that organizations are responsible for data till it is safely disposed of. That means "secure data erasure" is also required for compliance. In the absence of that, sensitive consumer data can get leaked and your organization can get into a legal hot soup. With BitRaser data erasure software, you can ensure compliance on that front. How?
Before you are imposed a fine post the enforcement of the Virginia Data Privacy Law in January 2023, make sure you fulfill all the required responsibilities and stay compliant with VCDPA. Seek help from our specialists in this regard by writing to sales@bitraser.com.
The Act is applicable to all organizations conducting business in Virginia or producing products and services for consumers in Virginia and if they:
BitRaser is NIST Certified
Related Articles
![]() |
NIST Clear |
![]() |
NIST-ATA Purge |
![]() |
US Department of Defense, DoD 5220.22-M (3 passes) |
![]() |
US Department of Defense, DoD 5200.22-M (ECE) (7 passes) |
![]() |
US Department of Defense, DoD 5200.28-STD (7 passes) |
![]() |
Russian Standard – GOST-R-50739-95 (2 passes) |
![]() |
B.Schneier’s algorithm (7 passes) |
![]() |
German Standard VSITR (7 passes) |
![]() |
Peter Gutmann (35 passes) |
![]() |
US Army AR 380-19 (3 passes) |
![]() |
North Atlantic Treaty Organization-NATO Standard (7 passes) |
![]() |
US Air Force AFSSI 5020 (3 passes) |
![]() |
Pfitzner algorithm (33 passes) |
![]() |
Canadian RCMP TSSIT OPS-II (4 passes) |
![]() |
British HMG IS5 (3 passes) |
![]() |
Zeroes |
![]() |
Pseudo-random |
![]() |
Pseudo-random & Zeroes (2 passes) |
![]() |
Random Random Zero (6 passes) |
![]() |
British HMG IS5 Baseline standard |
![]() |
NAVSO P-5239-26 (3 passes) |
![]() |
NCSG-TG-025 (3 passes) |
![]() |
5 Customized Algorithms & more |
Listening...