An Overview of the Virginia Consumer Data Protection Act

Individuals’ privacy rights remain at the forefront of US legislators in 2023. Biden’s State of the Union address placed data privacy and the enactment of a federal data protection and privacy law as a priority for the remainder of his term in office.

Alongside California’s Consumer Privacy Act, Virginia’s Consumer Data Protection Act (VCDPA) came into effect from January 1, 2023. In this post, we’ll review Virginia’s new legislation and what it means for the state.

The Act applies to organizations conducting business in Virginia or that produce products or services targeting its residents if they:

• process personal data of at least 100,000 Virginia consumers, or
• process personal data of at least 25,000 Virginia consumers and make over 50 percent of their gross profit from the sale of personal data.

What’s interesting here is that the size of the organization doesn’t affect the law’s applicability. Individuals selling goods and services are in scope if they meet these criteria. Some exclusions apply including state governmental bodies, financial entities governed by the Graham-Leach-Bliley Act, healthcare entities covered by HIPAA or HITECH, nonprofits and higher education institutions.

Unlike California’s CPRA, the VCDPA is limited to the protection of consumer data — state residents “acting only in an individual or household context” — and explicitly excludes an individual’s data when they are acting in a “commercial or employment context.”

Following the principles of similar state legislation, the VCDPA aims to protect consumers right to privacy and grants consumers six main data rights:

1. Right to access — Consumers have the right to access information held about them.
2. Right to correct — Consumers have the right to have errors in their information corrected and to update their information.
3. Right to delete — Consumers can request that their data is deleted.
4. Right to portability — Consumers must be able to obtain and/or transfer their personal information to another entity in a readily useable format.
5. Right to opt out — Consumers have the right to opt out of data collection and processing.
6. Right to appeal — Consumers have the right to appeal against any organization that doesn’t respond to requests they make related to their data rights.

The new law defines a subcategory of personal data as “sensitive data” that includes data of individuals under the age of 13, health and biometric data, geolocation information, race, ethnicity, sexual orientation, and religious and political beliefs. While entities need to offer an opt-out approach when collecting and processing personal data, sensitive data processing requires individuals to opt in and consent to its use.

As well as satisfying consumers’ privacy rights, businesses are required to maintain security practices to protect information. Some organizations may also need to perform data protection assessments that may be requested for review by the Virginia Attorney General.

With civil penalties of up to $7,500 USD per VCPDA violation, the legislation isn’t without teeth. And, viewed within the context of existing privacy-related laws in the state, the VCDPA creates yet more requirements for organizations to meet.

As the burden of regulation increases, it’s more important than ever for businesses to establish a robust strategy for managing critical personal and sensitive data. The foundation of such a strategy is data discovery, providing a comprehensive inventory of data across an organization and supporting compliance through continuous oversight of data risk.

Enterprise Recon by Ground Labs delivers award-winning data discovery packaged with on-demand remediation and data management capabilities, providing organizations maximum visibility and control of their most valuable data assets. To find out more and to book a demo, visit https://www.groundlabs.com/enterprise-recon/.