The United States is a peculiar case as far as its legislative attitude towards data privacy is concerned. That’s primarily because it has no federal or centralized data privacy law. As far as protecting consumers’ digital privacy rights is concerned, states have to legislate their own laws that address these issues.
California was the first state to do so, thanks to the California Consumer Privacy Act (CCPA). It soon passed another legislation that will replace the CCPA on January 1, 2023, titled the California Privacy Rights Act (CPRA). Several other states are drafting their data privacy laws, such as Colorado, Nevada, and Ohio.
Virginia is another such state, with one key difference; it has already passed its data privacy law titled the Virginia Consumer Data Protection Act (VCDPA). Signed in March 2022, it will also come into effect on January 1, 2023. And just like the CPRA, it affords consumers various rights while placing several responsibilities over organizations that fall under its jurisdiction.
Consumer Rights Under Virginia Data Protection Act
Known as data subject rights under GDPR and consumer rights under both the CPRA and VCDPA, these guaranteed rights ensure that users retain greater control over how their data is collected, stored, used, and shared/sold. Per the VCDPA, there are seven main rights consumers have. These include the following:
- Right to Access – Consumers have the right to access and view any and all data collected on them by a data processor or controller;
- Right to Know – Consumers have a right to know whether a data processor or a controller is processing their data or not;
- Right to Correct – Consumers have the right to correct, modify, and alter any data collected on them by a data processor or controller that has since become outdated, obsolete, or incorrect;
- Right to Delete – Consumers have the right to request deletion of any and all data that may have been collected on them by a data processor or controller;
- Right to Copy – Consumers have the right to get a copy of any and all data collected on them by a data processor or controller in a machine-readable form;
- Right to Opt-Out – This is arguably the most critical right users have. The VCDPA allows consumers to opt out of having to receive any marketing or advertising material while also opting out of having their data collected for any reason whatsoever;
- Right to Appeal – Consumers have the right to appeal any decision or indecision of a data processor or controller in the wake of the consumer exercising any of their rights. The data processor/controller has 45 days to respond to such requests. Failing to do so, the consumer can move against the processor or controller to the state attorney general’s office.
Whom Does the Virginia Consumer Data Protection Act Applies To?
Not all business entities in Virginia are subject to the VCDPA. The criteria for whom it applies are rather specific in stating that only entities that conduct business in Virginia or provide products or services that target Virginian residents are supposed to be subject to it. Additionally:
- Businesses that provide services to at least 100,000 users per calendar year;
- Businesses that generate 50% of their annual gross revenue from selling personal data.
…are subject to the VCDPA.
However, organizations that fall under the following categories are exempt from any of VCDPA’s provisions:
- Organizations subject to the Gramm-Leach-Bliley Act (GLBA);
- Organizations subject to the Health Insurance Portability and Accountability Act (HIPAA);
- Higher Education institutions;
- Virginia’s state government bodies and institutions.
Obligations Under Virginia Consumer Data Protection Act
There are some strict requirements and obligations for organizations that do have to adhere to the VCDPA’s regulations. Some of these requirements include:
- Purpose Limitation
The VCDPA states that a data processor or controller must “not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer unless the controller obtains the consumer’s consent”. This restricts any data collection activities from a controller or processor to only collect data vital for the essential functions of a website.
Any further processing, especially sensitive personal data, will require additional user consent.
- Appropriate Safeguards
The VCDPA mandates all data processors and controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
These are necessary to ensure any and all data collected is afforded the best protection while guaranteeing only parties with valid consent and permission may have access to this data.
- Impact Assessments
The VCDPA requires all data processors and controllers to undertake rigorous privacy impact assessments. These assessments allow organizations to gauge the effectiveness of their current data protection mechanisms in place while also highlighting areas that need additional security.
Done regularly, it can allow organizations to see how their protection strategy has evolved over time while highlighting areas that need improvement.
There are several other responsibilities and obligations data processors and controllers are expected to honor. It is advisable to read the original legislation in detail to get a complete idea of all the responsibilities of an organization subject to the VCDPA.
Who Enforces the Virginia Consumer Data Protection Act?
The VCDPA is a lot more similar to the CCPA than the CPRA in this regard. This is because the Virginia State Attorney General’s office is directly responsible for enforcing the VCDPA and handing out fines for organizations deemed in violation of the law.
Once a consumer launches an official complaint with the Attorney’s General’s office, they must notify the primary data controller as soon as possible. At this point, the data controller receives a 30-day cure period, where they must resolve the consumer’s grievances in the complaint.
If resolved, the data controller must provide the Attorney General’s office with an “express written statement that the alleged violations have been cured and that no further violations shall occur”. However, if the issue is unresolved, the Attorney General’s office can levy the data controller a $7,500 fine per violation.