Know Virginia Consumer Data Protection Act

Consumers are more in control of their data and privacy today than ever before.

Protecting privacy and maintaining data security has become a common topic of discussion across the globe and is gaining momentum. Following California's CCPA, Virginia has also established a comprehensive data privacy legislation and will become the 2nd state in the United States with such a law in effect.

The then-Virginia Governor Ralph Northam, on March 2nd, 2021, passed the Virginia Consumer Data Protection Act (VCDPA), which gives consumers in Virginia the right to control the use of their data. Three amendments were suggested and signed into law by the new Virginia Governor Glenn Youngkin on April 11th, 2022. The bill's text was finalized and will become effective from January 2023. 

In this article, we will walk you through everything that you need to know about the Virginia Consumer Data Protection Act (VCDPA). It will cover:

• What is the Virginia Consumer Data Protection Act?
• What personal data does the Act relate to?
• What are the rights of the consumers under the Virginia CDPA?
• Which organizations are required to stay compliant with the VCDPA?
• What are the penalties for non-compliance with the VCDPA ?
• How to stay compliant with VCDPA?

What is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act gives consumers the right to access and control their personal information that companies possess. The consumers will have the right to request access, correct inaccuracy, and delete their personal data that is held by businesses about them. Data Processing, according to the Act, includes everything that organizations do with the consumer’s data, which is in their control. That means according to the Act, organizations are responsible for the safety of consumers' personal data right from the time they collect the data till they safely delete or erase the data. Though not explicitly mentioned, It is important to note here that if an individual's personal data is compromised because an organization failed to completely erase it from their database, they'd be held liable.  

What ‘Personal Data’ does the Act relate to?

The VCDPA refers to protecting the personal data of consumers in Virginia. The Act defines ‘Personal data’ as any information that can be reasonably associated with an identified or identifiable natural person. Data available in the public domain and anonymized data are outside the purview of the Act. 

Some examples of personal data:

• Name
• Email ids
• Social security number
• Phone numbers
• Precise geolocations
• IP addresses
• Data revealing racial or ethnic origin, etc.
• Data collected from known children
• Biometric data that can uniquely identify an individual

What are the Rights of the consumers under Virginia CDPA?

Under the Act, consumers in Virginia have rights similar to that of California CDPA and Europe's General Data Protection Regulation (GDPR). 

The Rights include:

• Right to Access: Knowing if their personal data is being collected by businesses.
  Withdrawing their consent and stopping the collection of their personal data.
• Right to Correct: Accessing and amending their personal data stored by businesses to remove inaccuracies.
• Right to Delete: Deleting their personal information.
• Right to Opt-out: Opting out of targeted advertising, sale of their personal data, and any profiling based on their data.
• Right to Data Portability: The Act allows consumers to access their data "in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance."

Which Organizations are required to stay compliant with the VCDPA?

It can be confusing to assess if the Virginia Consumer Data Protection Act is applicable to your organization or not. For clarification regarding the same, the Act clearly specifies which organizations are required to stay compliant. The Act is applicable to all organizations conducting business in Virginia or producing products and services for consumers in Virginia and if they:

• Control/process the data of at least 100,000 residents of Virginia in a calendar year
• Derive over 50% of their gross revenue from the sale of personal data and control/process the data of at least 25,000 Virginian residents.

What are the Penalties for non-compliance with the VCDPA?

The attorney general shall have the exclusive authority to enforce any violations of the Act post receiving consumer complaints against businesses. If found violating the Virginia Consumer Data Protection Act, businesses can be fined up to $7,500 for every violation, plus the attorney's charges.  They'd also be liable to bear any other charges related to expenses incurred for the inspection, etc. if deemed fit by the office of the Attorney General. For example, if any business is found compromising the data privacy of 1000 individuals, then the penalty imposed shall be USD 7.5 Million.

How to stay compliant with VCDPA?

The Act does not specify a checklist for compliance for businesses. However, it places 6 responsibilities on businesses that fall under its purview. 

The responsibilities include:

1. Businesses should have a privacy policy in place.
Organizations need to have a privacy policy in which they clearly state if they collect personal data, what data they collect, why they collect it, how is it stored and processed, and with whom it is shared. 

2. Ensure consumer rights are exercised
The Act requires businesses to help consumers understand and exercise their rights if needed. For that, lay down the rights conferred to consumers by the Act in the privacy policy or another document. Guide consumers to help them enforce those rights by giving them information about opting out and letting them know they can revoke their consent to personal data collection.

3. Minimize the data collected
Much like the GDPR's data minimization principle, the VCDPA also requires organizations to collect minimum personal data. For example, if you want people to sign up for your newsletter, asking them for their first name and email address is enough. Their date of birth, father's name, or marital status is not needed here and should not be asked for and collected as such. 

4. Take consent
While collecting data, especially about minors and some sensitive personal data, organizations need to take informed affirmation from consumers. Sensitive data here includes biometric information, credit card numbers, social security number, etc. 

5. Conduct data protection assessments
When collecting personal data, organizations should assess the benefits and risks associated with collecting such data and the measures that can be taken to minimize those risks. This assessment has to be done for data collected on or after January 1st, 2023. During the risk assessment part, organizations also need to pay attention to how they will safeguard the data against spills and leakage at the end of a device's lifecycle or when the devices change hands. 

6. Have security safeguards in place
All organizations are required to have cybersecurity measures in place to ensure that the consumer's personal data is protected from leaks and unauthorized access. It is safe to say that if organizations bear these responsibilities, they'd be able to stay compliant and avoid penalties.

How can BitRaser Data Erasure help businesses stay compliant with the Virginia Consumer Data Protection Act?

With Virginia Consumer Data Protection Act set to be effective from January 2023, compliance is paramount for businesses.  Among other things, data erasure can be an important aspect to consider. 

The Virginia Data Privacy Law mentions that organizations are responsible for data till it is safely disposed of. That means "secure data erasure" is also required for compliance. In the absence of that, sensitive consumer data can get leaked and your organization can get into a legal hot soup. With BitRaser data erasure software, you can ensure compliance on that front. How?

• BitRaser securely erases all the data on the device beyond recovery with options to customize, automate and verify the erasure process.
• You get verifiable, tamper-proof reports that can be used to show that data was completely erased from your end and thus helps in compliance with modern data privacy and protection laws like Virginia Data Privacy Law.
• The solution is environment-friendly as you can still reuse or resell the device and no e-waste is generated.

Before you are imposed a fine post the enforcement of the Virginia Data Privacy Law in January 2023, make sure you fulfill all the required responsibilities and stay compliant with VCDPA. Seek help from our specialists in this regard by writing to sales@bitraser.com. 

FAQs