Virginia Consumer Data Protection Act
In March 2021, Virginia joined California at the forefront of America’s battle for consumer data privacy rights. Let us help make sure your business is ready for it.
In March 2021, Virginia joined California at the forefront of America’s battle for consumer data privacy rights. Let us help make sure your business is ready for it.
Unlike the European Union’s General Data Protection Regulation (GDPR), which applies to all member states, the United States has thus far opted against passing federal legislation protecting consumers’ digital privacy. This fractional approach to data privacy online has resulted in a patchwork of state laws that differ slightly from state to state.
Virginia’s 2021 special legislative session brought the newest entry in US data privacy law with the passage of the Virginia Consumer Data Protection Act (VCDPA). The VCDPA borrows heavily from the currently enforceable California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), which will become effective January 1, 2023.
Whether your business is subject to the GDPR, the CCPA, or the VCDPA (and depending on your business, you might need to comply with all of them), Red Clover Advisors can help you design and build a data privacy program that goes beyond just compliance.
Get in touch today to get started.
Digital trust is the confidence your users have that the sensitive data they give you is safe with your employees, processes, and systems.
Building digital trust is good for business. Fifty-three percent of 18–24-year olds are unlikely to purchase goods or services from a brand they don’t trust, with that number going up to 89% for individuals over age 55.
Consumer privacy advocacy is in its infancy, and businesses that make data privacy part of their business operations have an unprecedented opportunity to capture new customers without changing a single product or service.
Our years of experience and privacy expertise combined with our proven ability to develop practical, customized solutions, make us the partner you need to get VCDPA compliant.
Here’s the skinny on the who, what, and how of the VCDPA.
Entities that conduct business in Virginia OR produce products or services targeted to Virginia residents AND
(Unlike the CCPA, there are no business revenue thresholds. This also means that depending on how they use data, a business can be a data controller and a data processor, which adds extra responsibilities).
(Unlike the CCPA, there is no private right of action for consumers).
If you’re new to the privacy game, this chart can look impossible. But at Red Clover Advisors, our mission is to help businesses embrace a new way of working with data, going beyond compliance to create a privacy-friendly strategy that builds trust with customers.
We excel at making building a privacy program work for your timeline, your budget, and your business model.
Wondering what working with a privacy consultant would look like for your business? Call us today to schedule a consultation.
The VCDPA will not be effective until January 1, 2023, which means the biggest advantage you have in building your data privacy program is time.
If you start now, you have time to find the right solutions, create the right processes, and hire the right people so that your privacy program will not just be compliant.
It will be efficient, responsive, and agile.
Getting compliant with new privacy legislation is doable. Especially if you start early.
Here are five steps you can start on today.
If you want a strong data privacy program, you need to know what types of data you are collecting, why you are collecting it, what you are doing with it, where it is being stored, who it is being shared with, and how long you are keeping it.
We are pros at optimizing your existing compliance software, recommending new tools if needed, and finding pragmatic solutions that help you understand your data in a way that works for you.
Once you’ve completed a data inventory, you’ll know where the vulnerable points are in your system. Maybe you need to strengthen your access protocols. Maybe you need new processes to ensure software updates and licenses are installed in a timely way. Maybe you need to replace a few vendors.
No matter what the risks to your data are, RCA can guide you through the process in a way that empowers you to make the best decisions for your users.
This step is where having a pro by your side makes a big difference. To be compliant, your data privacy program needs to be able to quickly let customers opt out of having their data sold or shared. Unless it’s data from a protected category, in which case they need to be able to opt-in.
You also have to be able to provide customers with timely answers to what data you have collected about them, what you are doing with it, and who you have shared it with. And they have to be able to correct any inaccuracies. And delete it from your system if they want.
It seems like a lot because it is. But just because it’s a lot, it doesn’t mean it has to be hard.
We’ve helped hundreds of clients develop elegant, efficient processes that manage all ofthese requirements without overwhelming your teams.
Once you have all your ducks in a row, writing your privacy policy will be the easiest part of your privacy journey. RCA can work with your legal, IT, customer service, and marketing teams to create a privacy policy that accurately and transparently describes your data collection and usage practices to your users.
Employees are the make-or-break of every data privacy program. In fact, many of the large data breaches that have made headlines in recent years stem primarily from human error.
We help clients create training programs that match their company culture and improve their employees’ awareness of their importance to a high-functioning data privacy program every single day.
Whether you need company-wide training sessions or help creating talking points that can be used in weekly staff meetings, we are here for you.
Keep time on your side and find out what a privacy consultant can do for you by calling us today.
Consumer privacy legislation may be new, but it’s here to stay. Build the program you need to be able to quickly respond to whatever changes may come with minimal downtime and no service disruptions.
Your customers deserve it. Your company needs it.
And we can help you do it.
The VCDPA applies to my business. What do we need to do differently?
Well, it depends on where you are in your privacy strategy journey.
If you are compliant with any other existing privacy laws (GDPR, CCPA, CPRA, etc.), you will probably need to make some simple changes that allow you to identify VA residents and make sure your opt-out and opt-in systems, as well as your individual rights requests processes, match the specific parameters of the VCDPA.
If you’ve never had a formal data privacy program before, you have some work to do. But the fact that you are reading this proves you are headed in the right direction. Give us a call and let us help you find answers to your questions. If you don’t even know what questions to ask, don’t worry! We can help with that too.
Data processor? Data controller? Sensitive data? Can you help me understand some of these definitions?
Sure!
Personal data: any information that is linked to or reasonably linkable to an identified or identifiable natural person
Sensitive data: data related to name, birthday, SSN, sexual orientation, citizenship status, biometrics, racial or ethnic origin, religious beliefs, mental or physical medical history, precise geolocation (notably, the VCDPA diverges from other privacy laws by not including email account credentials here)
Data controller: the natural or legal person or people who determine the purpose and means of processing personal data
Data processor: the person, people, or entity that processes data for a controller (often a third-party vendor)
Process or processing: any operation or set of operations performed on personal data that allows it to be used by a business (includes collection, use, storage, analysis, disclosure, etc.)
Does sharing data with a vendor count as selling it under this law?
Technically no.
The VCDPA differs from its California counterparts by defining the sale of data as “the exchange of personal data for monetary consideration by the controller to a third party.”
It remains to be seen how this guideline will be enforced in practice, especially since the finer points of the law will more than likely be adjusted as the effective date gets closer. But for now, it looks like data sharing and data selling will not be equal under the VCDPA.