On March 3, 2021, the Virginia Consumer Data Protection Act (VA S 1392) was signed into law. This article will explain to you all that you need to know about the Consumer Data Protection Act — from who it applies to to how it defines personal data. It will also provide information on the rights it gives to individuals and the enforcement mechanisms in place for compliance purposes.
The Virginia Consumer Data Privacy Law: Does it impact you?
All the privacy laws in the United States have a large geographic focus and, thus, potentially apply to business outside of the state in which they are passed. In the spirit of this broad rule, VA S 1392 applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents regardless of whether that business is located in Virginia. For example, it applies to businesses that:
- During a calendar year, control or process the personal data of at least 100,000 Virginia consumers; or
- Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
Under the law, “personal data” are any pieces of information linked to a real person. Just because your website gets only a few form submissions each year doesn’t mean that you’re not accountable. What constitutes “personal data” in this day and age? Any information that is linked or reasonably linkable to an identified or identifiable person. Under the law, “personal data” are any pieces of information linked to a real person. You also have a compliance requirement if you are a vendor or representative of a larger enterprise that meets the above criteria.
The new law provides residents of Virginia with the following rights:
- Ability to confirm whether their personal data is processed and to access that data;
- Ability to correct inaccuracies in their personal data;
- Ability to delete their personal data;
- Ability to obtain a copy of their personal data in a way that allows them to move the data to another controller; and
- Ability to opt out of the processing of their personal data for the purposes of targeted marketing, the sale of personal data, or profiling.
Website owners (controllers) are required to respond to consumer requests to exercise their privacy rights within 45 days, so it is critical to develop processes to quickly respond in a compliant manner.
- The categories of personal data processed;
- The purposes of processing the personal data;
- How consumers can exercise their privacy rights, including how a consumer can appeal your decision regarding their request;
- The categories of personal data that you share with third parties, if any;
- Whether you sell personal data or process personal data for targeted advertising, as well as how the consumer can opt out of such processing; and
- One or more secure and reliable means for consumers to submit a request to exercise their privacy rights.
This law likely requires updates to Privacy Policies of many businesses.
Note: we are not attorneys and this article does not constitute legal advice.