What is the VCDPA? Virginia’s Consumer Data Protection Act

What is the VCDPA?

The Virginia Consumer Data Protection Act (VCDPA) is Virginia’s own privacy law, and it is the second state law of its kind in the country, following only California. On March 2, 2021, Governor Ralph Northam signed the bill into law, which will go into effect on January 1, 2023. This regulation combines concepts from the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act CCPA, and the California Privacy Rights Act CPRA.

Who Does the VCDPA Apply To?

This act applies to individuals who conduct business in Virginia or produce and sell products that target Virginia residents. It also is applicable to businesses that control or process the personal data of 100,000 or more Virginia consumers during a calendar year, or that control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. 

These specific requirements are what set the VCDPA apart from CCPA. There is no gross revenue amount that qualifies a business to follow VCDPA compliance, unlike CCPA, which sets the threshold at $25 million.

In addition, there are several types of organizations that are exempt from the regulations outlined in VCDPA. They include but are not limited to:

• Higher education institutions
• Non profit organizations
• Financial institutions already governed by GLBA Title V
• Organizations governed by HIPAA/ HITECH regulations
• Specific government entities 

What are the VCDPA Requirements?

At their core, data compliance laws are customer-centric and aim to protect individuals from losing personal data or being the victim of damages. “Personal data” is described by the bill as “any information that is linked or reasonably associated to an identified or identifiable natural person.” “Personal data” does not include de-identified data or publicly available information.” “Sensitive data” is classified as a subcategory of personal data that reveals racial or ethnic origin, mental or physical health diagnosis, religious beliefs, sexual orientation, or citizenship/immigration status.

The VCDPA follows suit with other compliance laws, such as the CCPA and GDPR, by enabling consumers with the ability to access, correct, delete, and receive a copy of their personal data upon request. Consumers can also opt-out of the processing of personal data in the context of targeted advertising under the VCDPA. Within 45 days of receipt of a request, organizations must take action to address customer data requests. If for some reason the request is denied, organizations must also have processes in place to handle appeals.

A “consumer” is defined by the bill as, “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural personal acting in a commercial or employment context.”

Businesses are required by the VCDPA to make additional disclosures surrounding their personal data processing activities, individual rights, and how consumers may exercise those rights. Organizations are also required to perform impact assessments to ensure they are not infringing upon a consumer’s privacy rights with their processing activities, have implemented appropriate technical and security controls, and have appropriate agreements in place with vendors.

Use Ground Labs to Prepare for VCDPA Compliance

Even with internal precautions in place, a data breach may still occur. Should an accident happen, organizations will be notified of their violation and given 30 days to remediate the case. If an organization fails to fix their data issue, the attorney general of Virginia will have the ability to charge at maximum $7,500 per violation.

Attempting to meet full data compliance alone, no matter the size of your organization, is risky business. Partnering with Ground Labs can give your organization peace of mind knowing that our solutions are scanning all of your organization’s surfaces and reading over 300 data types.

Rushing to meet compliance standards is bound to leave holes somewhere. Make a commitment to meet VCDPA requirements ahead of the January deadline and schedule a meeting with a compliance expert now.