A new consumer data privacy law has been passed in Virginia. As consumers demand privacy online, more and more states are getting involved and proposing their own privacy laws. In order to comply with these new laws, advertisers must provide a Privacy Policy on their website. The Privacy Policy should be clear about what data is being collected, how that data will be used, and who will have access to it. Over twenty states have come up with privacy bills of varying complexity, so it is very important that you know the rules in your state.
On March 3, 2021, the Virginia Consumer Data Protection Act (VA S 1392) was signed into law. This article will explain to you all that you need to know about the Consumer Data Protection Act — from who it applies to to how it defines personal data. It will also provide information on the rights it gives to individuals and the enforcement mechanisms in place for compliance purposes.
The Virginia Consumer Data Privacy Law: Does it impact you?
All the privacy laws in the United States have a large geographic focus and, thus, potentially apply to business outside of the state in which they are passed. In the spirit of this broad rule, VA S 1392 applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents regardless of whether that business is located in Virginia. For example, it applies to businesses that:
- During a calendar year, control or process the personal data of at least 100,000 Virginia consumers; or
- Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
Under the law, “personal data” are any pieces of information linked to a real person. Just because your website gets only a few form submissions each year doesn’t mean that you’re not accountable. What constitutes “personal data” in this day and age? Any information that is linked or reasonably linkable to an identified or identifiable person. Under the law, “personal data” are any pieces of information linked to a real person. You also have a compliance requirement if you are a vendor or representative of a larger enterprise that meets the above criteria.
Consumer Rights
The new law provides residents of Virginia with the following rights:
- Ability to confirm whether their personal data is processed and to access that data;
- Ability to correct inaccuracies in their personal data;
- Ability to delete their personal data;
- Ability to obtain a copy of their personal data in a way that allows them to move the data to another controller; and
- Ability to opt out of the processing of their personal data for the purposes of targeted marketing, the sale of personal data, or profiling.
Website owners (controllers) are required to respond to consumer requests to exercise their privacy rights within 45 days, so it is critical to develop processes to quickly respond in a compliant manner.
Virginia Consumer Data Protection Act: Privacy Policy requirements
Like other privacy laws, VA S 1392 requires to have in place an accessible, clear, and meaningful Privacy Policy that includes the following disclosures:
- The categories of personal data processed;
- The purposes of processing the personal data;
- How consumers can exercise their privacy rights, including how a consumer can appeal your decision regarding their request;
- The categories of personal data that you share with third parties, if any;
- Whether you sell personal data or process personal data for targeted advertising, as well as how the consumer can opt out of such processing; and
- One or more secure and reliable means for consumers to submit a request to exercise their privacy rights.
This law likely requires updates to Privacy Policies of many businesses.
Enforcement
The Attorney General of the Commonwealth of Virginia enforces The Virginia Consumer Data Protection Act. If a violation is found (e.g. not having a Privacy Policy), a company would have 30 days to correct the violation. Failure to correct would allow the Attorney General to issue fines of up to $7,500 per violation. In this case, “per violation” would mean per website visitor from Virginia whose privacy rights were infringed upon, meaning that fines could quickly add up to large sums.
We recommend to all our clients to use Termageddon to place a Privacy Policy on their website that automatically updates when laws like this one change.
Note: we are not attorneys and this article does not constitute legal advice.