The Virginia Consumer Data Protection Act (VCDPA) is a key US legislation aimed at protecting consumer data by establishing clear guidelines for businesses.
The Virginia Consumer Data Protection Act (VCDPA), which was signed into law on March 2, 2021, and came into force on January 1, 2023, aims to protect the personal data of consumers. The VCDPA is a comprehensive data privacy law that mirrors aspects of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Its primary objective is to secure the rights of consumers and their personal data, while also providing clear guidelines for businesses on how to handle this personal data.
The VCDPA applies to certain businesses dealing with large volumes of personal data, granting consumers control over their data, while excluding entities like government bodies and non-profits.
The VCDPA applies to businesses that control or process personal data of at least 100,000 Virginia residents or those that derive over 50% of their gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers. However, it exempts certain entities such as government bodies, non-profit organisations, higher educational institutions, and financial, healthcare, and data covered by certain sector-specific privacy laws. Under the VCDPA, consumers are given a set of rights that empower them to control their data. These rights include access, correction, deletion, and portability of personal data. Consumers also have the right to opt-out of targeted advertising, the sale of personal data, or profiling that can produce legal or similarly significant effects.
The VCDPA mandates careful handling and explicit consumer consent for processing a wide range of personal data.
The VCDPA encompasses various provisions, one of which pertains to the treatment of sensitive data. This category of data is broad and includes an array of personal identifiers that could potentially expose individuals to discrimination or harm if mishandled. The scope of sensitive data under the VCDPA includes racial or ethnic origin, religious beliefs, and mental or physical health diagnosis. These elements can disclose significant aspects of a person’s identity and personal life, potentially leading to instances of prejudice or differential treatment. The VCDPA also covers personal data related to sexual orientation, citizenship or immigration status, genetic or biometric data as well as any data from a known child. This provision underscores the importance of protecting children’s data as well, who are often unable to comprehend or consent to the implications of data collection and use. Under the VCDPA, the processing of personal data is not a casual matter. It mandates explicit consent from the consumer. This means that businesses and organisations cannot process such data unless they have obtained a clear, informed, and unambiguous agreement from the consumer. This requirement is a significant step towards empowering consumers and ensuring their right to control how their personal data is used.
Under the VCDPA, processors must adhere to strict guidelines. These include following the controller’s instructions for data processing, implementing appropriate security measures such as encryption and access controls, and assisting controllers in meeting their VCDPA obligations with the fulfilment of impact assessments and data breach notifications. Processors also need written permission from the controller before subcontracting any processing activities and must enter into specific contracts with controllers about data processing details. Processors are also required to delete or return all personal data to the controller upon the end of their services, unless retention is required by law. When necessary, processors must cooperate with any competent supervisory authority in the performance of its tasks, which may include audits or other inquiries.
Under the VCDPA, businesses must adopt robust data protection practices and respond promptly to consumer requests, as non-compliance may result in fines up to $7,500 per violation.
Businesses are expected to comply with the VCDPA by adopting data protection practices. This includes conducting risk assessments for processing activities that involve personal data, obtaining clear consents for collecting and processing data as relevant, implementing data minimization practices, and ensuring data security. Businesses also need to establish procedures to respond to consumer requests and provide clear privacy notices outlining their data processing activities. This can involve reviewing and updating privacy policies, implementing new procedures for handling consumer data requests, and ensuring all data processing activities have a valid lawful basis under the VCDPA. Non-compliance with the VCDPA can carry significant penalties. Businesses can be fined up to $7,500 per violation. While there is no private right of action under the VCDPA, meaning individuals cannot sue for violation, businesses are expected to rectify their actions once they have received a violation notice within a 30-day period.
If you are looking to ensure compliance with the VCDPA or other data protection regulations, Aphaia can help. Our team of experts can provide ad hoc advice to help you achieve compliance and improve your data protection practices. Contact Aphaia today to find out more.
