in a nutshell
Businesses around the world must comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to the personal data of Virginia consumers. VCDPA allows Virginia to follow the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA), but excludes employee and business representative data from its scope .
content
- Who and what data is protected?
- Who Must Comply?
- How to comply?
Businesses taking steps to comply with the CCPA can leverage some of their existing vendor terms, website disclosures, and data subject rights compliance processes to meet VCDPA requirements. . However, the VCDPA contains certain unique prescriptive requirements that necessitate his VCDPA-specific approach to compliance. For example, the VCDPA requires that you obtain affirmative opt-in consent before processing sensitive personal data, and that personal data is not used when processing sensitive data or for purposes such as targeted advertising, sales, or profiling. requires companies to conduct data protection assessments when undertaking certain activities. Unlike the CCPA and other privacy laws, the VCDPA does not give rulemaking powers to the Virginia Attorney General. Changes to the VCDPA must be made by Congressional amendment.
The VCPDA will take effect on January 1, 2023, with no retroactive period for violations.
VCDPA protects the “consumer”. A consumer is defined by law as a Virginia resident acting in an individual or domestic setting. Individuals acting in an employment or commercial context are expressly excluded from protection.
The VCDPA defines “personal data” to mean information that is linked or reasonably linkable to an identified or identifiable individual, but which is anonymized or made publicly available. data is not included. Unlike the CCPA, the VCDPA does not explicitly protect household personal data.
The VCDPA contains exemptions for certain types of data and entities. These include exemptions for agencies governed by the Gramm-Leach-Bliley Act (GLBA), and certain data maintained by public utilities, employment records, covered entities and the Health Insurance Portability and Accountability Act. and other information processed by business associates under The types of information already regulated under other federal laws, such as GLBA, Family Educational Rights and Privacy Act, Fair Credit Reporting Act, Children’s Online Privacy Protection Act (COPPA).
Unless an exemption applies, the VCDPA recognizes “managers” and “managers” who conduct business in Virginia or intentionally sell products or services to Virginia residents and who meet any of the following criteria: “Processor”. Data for over 100,000 consumers in a calendar year. or (ii) controls or processes the personal data of at least 25,000 consumers and derives 50% or more of its total revenue from the sale of personal data.
A “controller” is analogous to a “business” under the CCPA and is defined as a person who alone or jointly with others determines the purposes and means of processing personal data. A “processor” is analogous to a “service provider” under the CCPA and is defined as a person who processes personal data on behalf of a controller. To qualify as a “processor” under the VCDPA, a company must process personal data on behalf of a controller. The VCDPA requires processors to comply with controller instructions and to assist controllers in complying with their own obligations, and both parties contract on specific terms set forth by her VCDPA. must be concluded.
Privacy NoticeUnder VCDPA, controllers are required to provide a privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purposes for which we process the personal data; (iii) how consumers can exercise their rights, including the controller’s contact information, and how consumers can appeal against the controller’s decisions regarding consumer requests; (iv) the categories of personal data (if any) that the controller shares with third parties; (v) categories of third parties with whom the controller shares personal data (if any); Unlike the CCPA, the VCDPA does not expressly require a privacy notice to be issued prior to collection and does not require information about the source of the personal data, the process followed by the controller to confirm the request, or the collection of personal information, Information about financial incentives offered in exchange for retention or sale. Nonetheless, depending on the notices companies currently issue and their content, many companies will update their notices to include a statement of their right under the VCDPA to challenge controller decisions regarding their data. allows you to take advantage of our current privacy notices to comply with the VCDPA. subject request.
The VCDPA also authorizes controllers who “sell” personal data to third parties, or controllers who process personal data for targeted advertising, to such processing, and to allow consumers to opt out of such processing. We require clear and conspicuous disclosure of how to exercise your rights. Unlike the CCPA, the VCDPA’s definition of “sale” of personal data is limited to the exchange of personal data for monetary consideration. The VCDPA also excludes certain types of disclosure from the “sale” of personal data. For example, disclosure to processors to process personal data on behalf of a controller, disclosure of personal data to third parties for the purpose of providing products or services. At the request of a consumer, disclosure to an affiliate of the controller, disclosure to a third party as part of a merger or similar transaction, or personal data intentionally provided by a consumer to the general public or mass media channels. disclosure.
confidential dataUnlike the CCPA, which introduces an “opt-out” regime for processing sensitive personal information beyond specific authorized purposes, the VCDPA allows consumers to “opt-in” to the processing of sensitive data. I am requesting.
The VCDPA defines “sensitive data” to mean certain predetermined categories of data. This includes personal data revealing an individual’s race, ethnic origin, religious beliefs, mental or physical health examination, sexual orientation, citizenship or immigration status. Personal data from known children (under the age of 13). Processing genetic or biometric data for the purpose of uniquely identifying an individual. Precise geolocation data.
In practice, fitness trackers, delivery app services, and other businesses that provide recommendations or services based on a consumer’s precise location may require opt-in consent from users before processing such personal data. You have to guarantee that you will get When working with a child’s data, the company must obtain consent from her parent in accordance with COPPA’s verifiable parental consent requirements.
Technical and organizational measures, evaluationThe VCDPA requires Controllers to establish, implement and maintain reasonable administrative, technical and physical data security practices before engaging in processing activities that increase the risk of harm to consumers. , requires that a data protection assessment be conducted and documented. The VCDPA considers targeted advertising and profiling, the sale of personal data, and processing for the purpose of processing sensitive data generally high risk of harm to consumers.
CCPA did not originally include such an assessment requirement, but the California Privacy Protection Agency is tasked under CCPA with issuing regulations that also require audits and risk assessments. Businesses should take advantage of the assessments conducted under the VCDPA to help them comply with the CCPA and other US state privacy laws.
Data processing agreementBefore a processor carries out processing on behalf of a controller, both parties agree to comply with the privacy laws of other U.S. states (and the GDPR), including instructions for controllers and requirements for processors to do with respect to processing. You must enter into an agreement containing terms similar to those that (1) keep personal data confidential; (2) delete or return all personal data to the controller as requested upon termination of the provision of the service, unless retention of personal data is legally required; (3) make the data available to the controller upon request; (4) Cooperate with third-party evaluations. (5) Enter into similar agreements with subcontractors. Data Processor must follow Controller’s instructions and use appropriate technical and organizational measures to assist Controller in fulfilling her obligations under the VCDPA. Businesses should continue to update their contracts, keeping standardization in mind as much as possible (see Standardizing Data Processing Agreements Globally).
Data subject rightsUnder the VCDPA, consumers have the right to know whether a controller has collected their personal data, the right to access personal data collected from them, and the right to obtain personal data from a platform in a form that allows it to be transferred to another platform. We reserve the right to download and remove, and the right to modify and remove. personal data held in them. Consumers also have the right to opt out of the sale of their personal data or the use of their personal data for targeted advertising and certain types of profiling.
Responding to Data Subject Rights RequestsTo exercise its rights, the VCDPA will allow consumers to receive a response to their request without undue delay once they have been authenticated, but in any event not later than 45 days after receipt of the request. is. The controller may extend this period for an additional 45 days if reasonably necessary, and the consumer will ultimately be subject to a complaint under the controller’s appeals process (a process that the VCDPA requires the controller to undertake). You can appeal against decisions made by the administrator. The appeal process requires the consumer to provide a response to the appeal within 60 days and provides consumer information on how to contact the Virginia Attorney General if the consumer has concerns about the outcome of the appeal. is needed. This is in contrast to the CCPA, which does not mandate an appeals process.
Sanctions and RemediesUnlike the CCPA, there are no private action rights provided by the VCDPA, but the Virginia Attorney General can sue civil actions for injunctions or penalties not exceeding US$7,500 per violation. The Virginia Attorney General must first issue a violation notice to the administrator and give him a 60-day rectification period before taking enforcement action. Like the CCPA, the VCDPA will create a Consumer Privacy Fund to help the Virginia Attorney General enforce her VCDPA.
