Who Will This Impact?
Businesses that already comply with GLBA or HIPAA are exempt from VCDPA.
For other businesses the Act will apply to entities that conduct business in Virginia or produce products targeted to Virginia residents and:
- During the calendar year, controls or processes personal data of more than 100,000 consumers
- Derives over 50% of gross revenue from sales of personal data; or
- Controls personal data of more than 25,000 customers
VCDPA uses similar designations as the GDPR for controllers and processors, including specific obligations on each.
What Is Personal Data?
VCDPA defines personal data as any information that is linkable or reasonably linkable to an identified or identifiable natural person. It also provides an explicit definition of sensitive data.
- Personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions or diagnosis
- Sexual orientation
- Citizenship or immigration status
- Processing of genetic or biometric data to uniquely identify a natural person; or
- Personal data collected from a known child
The VCDPA specifically defines a consumer as any person acting in a commercial or employment context.
Other Important Details
Like the CCPA it prohibits businesses from discriminating against consumers that exercise their rights. That is unless the consumer has exercised their right to opt out or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
Data protection impact assessments
Entities will be required to conduct a DPIA when a controller is doing any go the following:
- Processing personal data for the purposes of:
- Targeted advertising; or
- Selling personal data
- Processing sensitive data
- Conducting any processing activity that presents a heightened risk of harm to consumers.
Businesses will be required to have a privacy notice in a specific format. This will also need to include the categories of personal data that is processed.
Right to confirm processing
Explicit right to confirm whether a controller is processing personal information.
Right to access
Have the right to obtain a copy of personal data previously provided to the controller and access to any personal data collected, sold, or transferred in the last 12 months.
Right to portability
Consumers have the right to receive a copy of personal data in a readily useable format that can be transferred to another controller.
Right to correction
Will have the right to correct any inaccuracies.
Right to opt-out of certain processing
Consumers have the right to opt-out of processing of personal data under the VCDPA for the purposes of:
- Targeted advertising
- The sale of personal data; or,
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Right to deletion
The right to delete collected personal data under certain conditions.
Businesses will be required to implement measures that they may not have needed before. All entities will need to maintain reasonable security measures for all data. Contracts will be required between controllers and processors including specific types of obligations that must be placed on the processor by the controller.
This Act will be enforced by the Attorney General. It will include a 30-day cure period where entities will have the chance to make necessary changes before incurring a fine.
If necessary fines will be imposed. Continuous violations are subject to civil action for damages of up to $7,500 for each violation.
How can value privacy help
Value Privacy are a team of experts who will make sure you are prepared for this new privacy law. Whether it’s creating a privacy notice, contracts or analysing how data is stored and processed. We can make sure your organization is ready at a cost that is usually smaller than hiring someone to do it in house. Contact us today to find out how we can help you.