Author: Aditya Gosavi, Content Writer, TJC Group
Co-author: Priyasha Purkayastha, Global Content Manager, TJC Group
Data privacy is a key aspect shaping how businesses and individuals interact today. With growing concern about personal information, data privacy laws are emerging to address transparency, accountability, and trust. Consequently, these regulations aim to empower individuals while guiding organisations toward responsible data practices. The focus is on creating a balanced ecosystem that respects privacy and best practices. Read on to explore more about this topic.
Table of contents
- Introduction
- Who falls under the VCDPA’s scope?
- Who is exempt from the Virginia Data Privacy Law?
- Understanding personal data rights under VCDPA
- Controllers vs processors: The key components of Virginia CDPA
- Who ensures the CDPA is followed?
- How does VCDPA impact organisations?
- Conclusion
- Data privacy series: In a glance for you
Introduction
In an era where data fuels the digital world, protecting individual privacy has become more critical than ever. As customers become more aware of how their information is collected, shared, and stored, the demand for stronger data protection measures has increased. Governments worldwide are stepping up to address these concerns, introducing laws that emphasises on accountability and clarity in handling personal data. Amongst these, the Virginia Consumer Data Protection Act (VCDPA) stands out as a significant step towards effective data privacy laws in the digital age. This blog explores the VCDPA and its role in shaping the future of digital privacy. Continue reading to discover more.
What is the Virginia Consumer Data Protection Act (VCDPA)?
The Virginia Consumer Data Protection Act was penned into a regulation in March 2021. It came into effect on 1st January 2023, on the same day as California’s Consumer Privacy Rights Act (CPRA), the United States’ second data protection law. The VCDPA is a comprehensive state-level data privacy regulation that safeguards personal information belonging to the 8.7 million residents of Virginia. Moreover, this law regulates the collection and processing of consumers’ data, including their permission to or opt out of its use and requests relating to consumers’ privacy rights and so on.
Who falls under the VCDPA’s scope?
Organisations are subject to the Virginia Consumer Data Protection Act if both of the following standards are fulfilled:
- They either operate business in Virginia or make products or services intended for Virginia residents
and
- Meet at least one of the following requirements:
-Holds or processes personal data of at least 100,000 Virginia residents
or
-Controls or processes personal data of at least 25,000 Virginia consumers and derives over 50% of gross revenue from the sale of personal data in a calendar year.
Who is exempt from the Virginia Data Privacy Law?
Let’s take a closer look at different types of entities that are exempted from the law:
- Government bodies, authorities, boards, commissions, districts, and agencies of the state of Virginia.
- Financial institutions or data that are in accordance with “Title V” of the federal Gramm-Leach-Bliley Act (which requires organisations to protect consumers’ sensitive data and explain their information-sharing practices).
- Covered entities associated with or governed by the Health Information Technology for Economic and Clinical Health Act (HITECH) and Health Insurance Portability and Accountability Act (HIPAA)
- Non-profit organisations
- Institutions of higher learning
Understanding personal data rights under VCDPA
Virginia CDPA grants consumers the following personal data rights:
- Right to be informed of the processing of personal data
- Right to access their personal information
- Right to correct inaccurate personal information
- Right to opt out of the sale of personal data’s targeted advertising or profiling
- Right to deletion of personal data
Interestingly, the VCDPA differs from other laws, such as the CCPA and CPRA, regarding the concept of data subject rights. The privacy laws of the US states call them consumer rights, whereas VCDPA calls them personal data rights.
Moreover, the VCDPA wants companies to only hold the data they require for a specific purpose, and as long as it is necessary to achieve that purpose, these principles are often referred to as data minimisation and purpose limitation. This data protection law also requires that companies implement and maintain relevant information safety protocols to safeguard the discretion, integrity, and accessibility of personal data.
Controllers vs processors: The key components of Virginia CDPA
Just like the GDPR, the CDPA comes with two main components: controllers and processors. Controllers are the companies responsible for determining the purpose and means of processing personal data. On the other hand, processors are the companies that process personal data on controllers’ behalf. Under the CDPA, organisations that come under the controllers component have more stringent obligations. Meanwhile, processors’ obligations are usually connected to their agreements with controllers. Akin to the GDPR, the relationship between the controller and processor must be conducted by a contract that includes certain specific requirements and obligations for the processor.
Who ensures the CDPA is followed?
The Virginia Attorney General has dedicated authority to enforce the CDPA and to charge a civil penalty of up to $7,500 per violation. However, businesses can avoid enforcement actions by properly remedying the violation. Thankfully, the CDPA’s right to cure allows organisations to correct any violation within 30 days of receiving notice from the Virginia Attorney General.
One of the most unique features of this data privacy law is that businesses need to set up a process for consumers to appeal if their rights are denied. However, the law does not allow individuals to sue the company directly, but the enforcement by the attorney general and the risk of major fines help ensure compliance.
How does VCDPA impact organisations?
The Virginia Consumer Data Protection Act (VCDPA) drives organisations to rethink their handling of consumer data. Here’s how it impacts companies:
Reorganise data practices
Companies must streamline their data collection, focusing only on what’s necessary and transparently explaining its purpose. Effective data management practices, like regular audits and secure storage, are now critical.
Empowering consumers
With grants like data access, correction, and deletion, consumers control how businesses handle their data. Companies must implement effective ways to make these processes seamless and trustworthy.
Operational adjustment
To comply with this data protection law, businesses must revise their privacy policies, create appeal mechanisms for denied requests, and invest in tools to effectively manage and streamline the data.
Gaining a competitive advantage
By showcasing strong data privacy practices, businesses can build trust and distinguish themselves in the market.
Adopting effective data management isn’t just about meeting legal requirements – it’s about setting up a foundation for sustainable, trust-driven growth.
Conclusion
Understanding Virginia’s CDPA is essential for all businesses that are operating in or interacting with the residents of Virginia. The CDPA’s quick pace toward enactment can motivate other states looking to establish comprehensive data privacy reform. Moreover, this data privacy law is designed to provide key protections for consumers and clearly define the obligations of businesses to ensure a smooth path toward compliance without imposing overly stringent requirements in a complicated statutory structure.
If you need help with any aspect of data volume management to ensure your business complies with key data privacy regulations, connect with TJC Group today!
Data privacy series: In a glance for you
- All about South Korea data protection law (PIPA): Everything you need to know (coming soon)
- Data protection laws in the Middle East (coming soon)
