Virginia Consumer Data Protection Act
In March 2021, Virginia joined California at the forefront of America’s battle for consumer data privacy rights. Let us help make sure your business is ready for it.
Know How The Data Privacy Landscape Affects You
Unlike the European Union’s General Data Protection Regulation (GDPR), which applies to all member states, the United States has thus far opted against passing federal legislation protecting consumers’ digital privacy. This fractional approach to data privacy online has resulted in a patchwork of state laws that differ slightly from state to state.
Virginia’s 2021 special legislative session brought the newest entry in US data privacy law with the passage of the Virginia Consumer Data Protection Act (VCDPA). The VCDPA borrows heavily from the currently enforceable California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), which will become effective January 1, 2023.
Whether your business is subject to the GDPR, the CCPA, or the VCDPA (and depending on your business, you might need to comply with all of them), Red Clover Advisors can help you design and build a data privacy program that goes beyond just compliance.
Data privacy compliance is critical for modern business. It’s also easier and more affordable than you think.
Get in touch today to get started.
Build Digital Trust With Your Customers
Digital trust is the confidence your users have that the sensitive data they give you is safe with your employees, processes, and systems.
Building digital trust is good for business. Fifty-three percent of 18–24-year olds are unlikely to purchase goods or services from a brand they don’t trust, with that number going up to 89% for individuals over age 55.
Consumer privacy advocacy is in its infancy, and businesses that make data privacy part of their business operations have an unprecedented opportunity to capture new customers without changing a single product or service.
Our years of experience and privacy expertise combined with our proven ability to develop practical, customized solutions, make us the partner you need to get VCDPA compliant.
What’s in the VCDPA?
Here’s the skinny on the who, what, and how of the VCDPA.
Entities To Which It Applies
Entities that conduct business in Virginia OR produce products or services targeted to Virginia residents AND
- Control or process the sensitive data of at least 100,000 Virginia residents during a calendar year
- Control or process the sensitive data of at least 25,000 consumers and derive at least 50% of gross revenue from the sale of personal data
(Unlike the CCPA, there are no business revenue thresholds. This also means that depending on how they use data, a business can be a data controller and a data processor, which adds extra responsibilities).
What Consumers’ Rights Are
- Knowing what personal information you are collecting about them
- Correcting inaccuracies in their personal data
- Deleting their personal data your company systems
- Receiving a copy of their personal data in an easy-to-use format
- Opting out of the sale of their personal data, or the targeted advertising or decision profiling
- Opting-in (or giving consent) to having sensitive data processed
- Not be discriminated against for exercising any of the other rights
- Appealing a business’s refusal to act within mandated timelines
How It’s Enforced
- The Virginia Attorney General is solely responsible for enforcing the VCDPA by bringing an action on behalf of the Commonwealth against any offenders
- Penalties for violation include an injunction and a civil penalty of up to $7,500 per violation.
(Unlike the CCPA, there is no private right of action for consumers).
- If a controller sells personal data to third parties or processes personal data for targeted Advertising, it must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.
- Sale of personal data means the exchange of personal data for monetary consideration by the controller to a third party. It does not include disclosure (1) to a processor processing data on behalf of the controller; (2) to a third party for purposes of a product or service requested by the consumer; (3) to a controller’s affiliate; (4) of information a consumer intentionally made available to the general public via mass media and did not restrict to a specific audience; and (5) to a third party as an asset that is part of a business transaction where the third party assumes control of the controller’s assets.
What Businesses Have to Do
- Minimize the amount and types of data collected
- Only process data for the reasons disclosed in the privacy policy
- Establish, implement, and maintain reasonable data security practices
- Conduct and document data protection assessments (similar to the data protection impact assessments required under the GDPR) to evaluate the risks associated with processing activities that pose a heightened risk – such as those related to sensitive data and personal data for targeted advertising and profiling – and the sale of personal data.
- Evaluate all third-party vendors and service providers to ensure their processes are VCDPA compliant
- Create a right of appeals/right of access process (similar to the GDPR data subject access requests or the CCPA’s individual rights requests)
- Provide easy, highly visible access to an accurate and updated privacy policy
- Data processors are subject to similar obligations, such as ensuring each person processing personal data is subject to a duty of confidentiality, deleting or returning all personal data to the controller as requested, making available to the controller all information necessary to demonstrate the processor’s compliance with the obligations in the CDPA, and requiring the subcontractor to meet the same obligations of the processor with respect to the personal data
If you’re new to the privacy game, this chart can look impossible. But at Red Clover Advisors, our mission is to help businesses embrace a new way of working with data, going beyond compliance to create a privacy-friendly strategy that builds trust with customers.
We excel at making building a privacy program work for your timeline, your budget, and your business model.
Wondering what working with a privacy consultant would look like for your business? Call us today to schedule a consultation.
Get VCDPA-Ready With These Five Steps
The VCDPA will not be effective until January 1, 2023, which means the biggest advantage you have in building your data privacy program is time.
If you start now, you have time to find the right solutions, create the right processes, and hire the right people so that your privacy program will not just be compliant.
It will be efficient, responsive, and agile.
Getting compliant with new privacy legislation is doable. Especially if you start early.
Here are five steps you can start on today.
1. Analyze your data collection practices with a data inventory
If you want a strong data privacy program, you need to know what types of data you are collecting, why you are collecting it, what you are doing with it, where it is being stored, who it is being shared with, and how long you are keeping it.
We are pros at optimizing your existing compliance software, recommending new tools if needed, and finding pragmatic solutions that help you understand your data in a way that works for you.
2. Re-evaluate your security protocols
Once you’ve completed a data inventory, you’ll know where the vulnerable points are in your system. Maybe you need to strengthen your access protocols. Maybe you need new processes to ensure software updates and licenses are installed in a timely way. Maybe you need to replace a few vendors.
No matter what the risks to your data are, RCA can guide you through the process in a way that empowers you to make the best decisions for your users.
3. Set up your internal processes
This step is where having a pro by your side makes a big difference. To be compliant, your data privacy program needs to be able to quickly let customers opt out of having their data sold or shared. Unless it’s data from a protected category, in which case they need to be able to opt-in.
You also have to be able to provide customers with timely answers to what data you have collected about them, what you are doing with it, and who you have shared it with. And they have to be able to correct any inaccuracies. And delete it from your system if they want.
It seems like a lot because it is. But just because it’s a lot, it doesn’t mean it has to be hard.
We’ve helped hundreds of clients develop elegant, efficient processes that manage all ofthese requirements without overwhelming your teams.
4. Update your privacy policy
Once you have all your ducks in a row, writing your privacy policy will be the easiest part of your privacy journey. RCA can work with your legal, IT, customer service, and marketing teams to create a privacy policy that accurately and transparently describes your data collection and usage practices to your users.
5. Train, train, train
Employees are the make-or-break of every data privacy program. In fact, many of the large data breaches that have made headlines in recent years stem primarily from human error.
We help clients create training programs that match their company culture and improve their employees’ awareness of their importance to a high-functioning data privacy program every single day.
Whether you need company-wide training sessions or help creating talking points that can be used in weekly staff meetings, we are here for you.
Keep time on your side and find out what a privacy consultant can do for you by calling us today.
Be Ready For Your Future
Consumer privacy legislation may be new, but it’s here to stay. Build the program you need to be able to quickly respond to whatever changes may come with minimal downtime and no service disruptions.
Your customers deserve it. Your company needs it.
And we can help you do it.
FAQs
The VCDPA applies to my business. What do we need to do differently?
Well, it depends on where you are in your privacy strategy journey.
If you are compliant with any other existing privacy laws (GDPR, CCPA, CPRA, etc.), you will probably need to make some simple changes that allow you to identify VA residents and make sure your opt-out and opt-in systems, as well as your individual rights requests processes, match the specific parameters of the VCDPA.
If you’ve never had a formal data privacy program before, you have some work to do. But the fact that you are reading this proves you are headed in the right direction. Give us a call and let us help you find answers to your questions. If you don’t even know what questions to ask, don’t worry! We can help with that too.
Data processor? Data controller? Sensitive data? Can you help me understand some of these definitions?
Sure!
Personal data: any information that is linked to or reasonably linkable to an identified or identifiable natural person
Sensitive data: data related to name, birthday, SSN, sexual orientation, citizenship status, biometrics, racial or ethnic origin, religious beliefs, mental or physical medical history, precise geolocation (notably, the VCDPA diverges from other privacy laws by not including email account credentials here)
Data controller: the natural or legal person or people who determine the purpose and means of processing personal data
Data processor: the person, people, or entity that processes data for a controller (often a third-party vendor)
Process or processing: any operation or set of operations performed on personal data that allows it to be used by a business (includes collection, use, storage, analysis, disclosure, etc.)
Does sharing data with a vendor count as selling it under this law?
Technically no.
The VCDPA differs from its California counterparts by defining the sale of data as “the exchange of personal data for monetary consideration by the controller to a third party.”
It remains to be seen how this guideline will be enforced in practice, especially since the finer points of the law will more than likely be adjusted as the effective date gets closer. But for now, it looks like data sharing and data selling will not be equal under the VCDPA.
