Make Sure You're Complying with the Virginia Consumer Data Protection Act with this Checklist from Exterro
By Tim Rollins
The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021, making Virginia the second state in the United States to pass comprehensive data privacy legislation, and went into effect on January 1, 2023. Businesses of all sizes are expected to comply with its provisions--at a baseline, organizations that control or process data on 100,000 or more Virginians or that process or control data on 25,000 Virginians and derive half their revenue from the sale of personal information must comply with its provisions.
But the provisions are complicated. Organizations may be exempt from VCDPA regulations if they are non-profits, institutes of higher education, or regulated by a variety of other US laws that govern aspects of privacy--from famous ones like HIPAA (the Health Insurance Portability and Accountability Act) and COPPA (the Children's Online Privacy and Protection Act) to lesser known Farm Credit Act and Patient Safety and Quality Improvement Act.
The regulations governing how data is collected, used, and shared are complicated as well. To help businesses comply with the VCDPA, we have created a checklist of the key provisions that businesses must adhere to. By following this checklist, businesses can ensure that they are in compliance with the law and are protecting the personal data of their customers and clients.
What Does Our VCDPA Checklist Cover?
- Understanding if VCDPA applies to your business: The VCDPA applies to businesses that collect personal data from Virginia consumers and meet certain other criteria. Make sure your business falls within the scope of the VCDPA before taking any further steps.
- Providing consumers with the right to access and delete their data: The VCDPA gives consumers the right to access and delete the personal data that a business has collected about them. Businesses must provide consumers with an easy way to exercise these rights.
- Providing notice notice of what data is collected and why: The VCDPA requires businesses to provide consumers with a clear and conspicuous notice about the types of data that the business collects and the purposes for which the data will be used. This notice should be provided at or before the point of data collection, and should be easily accessible to consumers.
- Obtain consumer consent: The VCDPA requires businesses to obtain affirmative consent from consumers before collecting, using, or disclosing sensitive personal data. This means that businesses must obtain explicit consent from consumers before collecting data that could be used to identify a consumer, such as Social Security numbers or financial account information.
- Relationships with third parties: One of the areas of greatest concern with respect to privacy and data protection is third party processing. Many of the significant data breaches have been the result of failures of third parties to maintain similar standards to the primary collector of the data. Whether your organization is acting as a processor or controller in a third-party relationship, it is important that you understand the requirements the law places on that relationship.
- De-identified data: One method of retaining the value of personal data without the risk is to de-identify it. This involves removing or obfuscating the personal information in such a way that its properties are retained, but the specific values are not valid. However, in the past several years it has been shown that de-identified data can be reidentified and that some deidentification methods are insufficient for certain classes of data. VCDPA contains some specific rules with regard to how your organization uses de-identified personal data.