Complying with the Virginia Consumer Data Protection Act (VCDPA)

4 minute read. Learn the basics of the Virginia Consumer Data Protection Act (VCDPA) and how it impacts your business.

‍

In this article, we provide information that can help business owners successfully navigate the Virginia Consumer Data Protection Act (VCDPA).

Passed on March 2, 2021, the VCDPA provides consumers with broad protection and rights concerning the collection, use, processing, sharing, and sale of their personal information.

It doesn’t matter where your business is located-–the VCDPA applies to your company if your customers reside in Virginia. Businesses that fail to comply with the VCDPA may be subject to significant fines and penalties and possible damage to their reputations. But there are solutions that simplify compliance.

Protecting Consumer Privacy

The VCDPA applies to entities that conduct business in Virginia or provide products or services that target Virginia residents and that either:

• Control or process the personal data of at least 100,000 consumers during a calendar year.
• Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.

Because the VCDPA does not impose a revenue threshold, a business cannot become subject to the law merely due to its annual revenues; however, smaller, regional businesses that meet other thresholds may find that they need to comply with it.

The "sale of personal information" is defined as "the exchange of personal data for monetary consideration." Importantly, the definition of sale includes a few notable exclusions:

• Disclosures to processors.
• Disclosures to a third party for purposes of providing product or service requested by the consumer.
• Disclosures to controller's affiliate.
• Disclosures of information that consumers (A) intentionally made available to the general public via a mass media channel and (B) did not restrict a specific audience.
• Disclosures as part of a merger, acquisition, etc.

The law defines a consumer as "a natural person who is a resident of the Commonwealth acting only in an individual or household context." It explicitly omits persons who are "acting in a commercial or employment context."

The VCDPA provides consumers with six rights, including the right to:

1. Access, confirming if a controller is processing the consumer's personal data.
2. Correct inaccuracies in personal data.
3. Delete personal data provided by or obtained about the consumer.
4. Obtain a copy of the consumer's personal data.
5. Opt out of the processing of personal data.
6. Appeal a business's denial to act within a reasonable time.

The law mandates that a business that receives an authenticated request must comply, irrespective of the hardships or impracticable nature of the request language.

Satisfying the Virginia Consumer Data Protection Act

To cost-effectively ensure they are complying with VCDPA, businesses will have to manage and track consumers’ requests to opt-out, review, access, delete, and obtain their data.

Business owners and leaders need a system for tracking consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, business owners risk costly penalties and damage to their reputations.

To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that consumers can use to initiate their data request.
2. Consumer authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with latest changes to data privacy laws across the U.S.

For help with your data privacy compliance challenges, contact PrivacyCare today.