With no equivalent federal law, the VCDPA adds another layer to U.S. data privacy regulations. It came into effect on January 1, 2023. If your business complies with CCPA/CPRA or GDPR, achieving VCDPA compliance will require minimal adjustments. For those not yet compliant, understanding the responsibilities and consumer rights is crucial. A consent management solution can aid in ensuring compliance for cookies and tracking purposes.
Get a Free Cookie Banner now
It doesn't matter if your are in the US, Europe or anywhere else.
Key Takeaways
- Scope and Applicability:
- The VCDPA applies to all for-profit organizations doing business in Virginia or targeting Virginia residents, regardless of where they are based.
- Organizations must comply if they control or process data of 100,000 or more consumers annually, or 25,000 or more consumers and derive over 50% of their revenue from the sale of personal data.
- Consumer Rights and Consent:
- Consumers can opt out of data collection, processing, and sales at any point.
- Prior consent is required for sensitive personal data, such as data from users under 13 years old, health and biometric data, and information on race, religion, political views, and sexual orientation.
- Website Cookies and Targeted Advertising:
- Users must have the option to opt out of cookies and tracking technologies used for targeted advertising, achievable through consent management platforms (CMP).
- Similar to GDPR compliance, companies must inform users about data collection and provide an opt-out option.
- Compliance Requirements:
- Organizations must provide privacy notices detailing what data is collected, its purpose, and any third parties with whom data is shared.
- They should establish data security practices, limit data collection to necessary information, and process data only for disclosed purposes unless new consent is obtained.
- Enforcement and Penalties:
- The VCDPA is enforced by the Virginia Attorney General, with fines up to $7,500 per infringement.
- Organizations have a 30-day cure period to correct non-compliance issues before fines are imposed.
Compliance Tips
To comply with the VCDPA, organizations should:
- Conduct a thorough data audit to understand what personal data is collected and processed.
- Implement Consent Management Platforms (CMP) to handle user opt-outs effectively.
- Ensure that privacy notices are easily accessible and clearly written to inform users about data practices.
- Establish and maintain robust data security measures.
- Monitor and respond promptly to consumer requests related to their data rights.
Adhering to these practices will help organizations navigate the complexities of the VCDPA and maintain compliance while respecting consumer data privacy.
Virginia became the second state in the US to enact comprehensive data privacy legislation with the Virginia Consumer Data Protection Act (VCDPA) signed into law in March 2021.
Effective January 1, 2023, the VCDPA impacts companies and organizations conducting business in Virginia or targeting products and services to Virginia residents. Whether or not based in Virginia, all relevant organizations must adhere to VCDPA requirements if they meet the compliance criteria.
What is the Virginia Consumer Data Protection Act (VCDPA)?
The VCDPA is Virginia’s answer to data privacy concerns, inspired by the California Consumer Data Privacy Act (CCPA). This law emphasizes consumers’ right to opt out of personal data collection, processing, and sales. While it allows collecting and processing personal data without consent, consumers must have the option to opt out at any time. However, prior consent is mandatory for sensitive personal data, distinctly categorized within the VCDPA.
Unlike the European Union’s General Data Protection Regulation (GDPR), which mandates prior user consent for data collection, the VCDPA permits data collection without initial consent but requires informed and explicit user consent akin to the GDPR.
Compliance Criteria Starting January 1, 2023: Websites, companies, and organizations must comply with the VCDPA if they do business in Virginia or target their services to Virginia residents, provided they meet the set thresholds.
Key Points of the VCDPA
Scope and Definitions:
- General Data Processing: No user consent is needed for general data processing but is required for sensitive personal data.
- Targeted Advertising Opt-Out: Users should be able to opt out through consent management platforms (CMP) featuring consent banners or cookie banners.
- Fair Information Practice Principles (FIPPs): These principles dictate lawful data collection, requiring clear disclosure of the collection purpose, privacy notices, policies, and third-party sharing details.
- Applicability: Affects for-profit companies either based or operating in Virginia if they meet compliance thresholds.
- Sale and Processing Definitions:
- “Sale” entails exchanging personal data for monetary considerations.
- “Processing” includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.
- Sensitive Personal Data: Includes data from minors under 13, health and biometric data, geolocation, and information on race, ethnicity, religion, politics, and sexual orientation.
- De-identified Data: Must be handled to ensure it can’t be re-associated with individuals.
- Enforcement: Managed by the Virginia Attorney General, with fines up to $7,500 per infringement. Companies get a 30-day cure period to rectify violations before fines are imposed.
Website Cookies under VCDPA
The VCDPA mandates an opt-out option for users against data collection via cookies or trackings for targeted advertising. Targeted advertising tailors marketing based on users’ activities over time and across different websites.
Compliance can be streamlined with a consent management platform that detects and controls cookies based on user preferences expressed via consent or cookie banners.
VCDPA Compliance for Companies and Organizations
Organizations must know what personal data they collect, process, store, and share, and ensure data protection from breaches and misuse.
To comply, companies and organizations must:
- Provide privacy notices disclosing the type of data processed and shared, why, and with whom it’s shared.
- Disclose if data is used for targeted advertising and provide opt-out mechanisms.
- Establish robust data security practices.
- Respond to consumer requests within 45 days, with possible extensions under certain conditions.
- Allow appeals against refusal of requests (e.g., due to inadequate identity verification).
- Limit data collection to what’s necessary for its disclosed purpose, and obtain consent if processing purposes change.
Controllers must have agreements with processors detailing the data type, processing purpose, and duration. Processors must ensure data confidentiality, provide data on request, and delete data upon service completion.
Compliance with VCDPA, CCPA/CPRA, and GDPR
VCDPA appears more similar to GDPR than CCPA/CPRA but diverges in some aspects like consent provisions, operational scope, and definitions of data sale.
- Scope: VCDPA affects fewer entities, excluding government, nonprofits, and certain educational institutions.
- Personal Data: Covers a broader range of publicly available data in comparison to CCPA/CPRA.
- Fines and Enforcement: VCDPA stipulates higher fines and broader penalties, including recovery of legal fees and investigative costs.
- Sale Definition: Narrower in VCDPA compared to California’s broader sharing definition.
- Consumer Rights: VCDPA grants more comprehensive opt-out rights for sale, targeted advertising, and profiling, without private action rights which the CCPA allows.
Privacy Notices Under VCDPA
A privacy notice under the VCDPA must be clear, accessible, and descriptive of:
- Categories of personal data collected and shared.
- Third parties with access to the data.
- Purpose of data collection.
- Instructions for opting out of targeted advertising.
Consumer Rights under VCDPA
Residents are entitled to:
- Know if their data is collected.
- Access and obtain a copy of their data.
- Correct inaccuracies and request deletion of data.
- Opt out of data collection for targeted advertising, sales, or profiling.
- Non-discrimination for exercising their rights.