VCDPA: Preparing for 2023 enforcement

• The Virginia Consumer Data Protection Act (VCDPA) was passed March 2, 2021 - creating data rights for Virignia consumers and new obligations for businesses processing personal consumer data.

• The VCDPA gave Virginia consumers six new data rights rights, including the right to access, correct, delete, or transfer their personal data, as well as opt-out of data processing for the purposes of targeted advertising.

• The VCDPA enforcement date was Jan 1, 2023, so businesses need to ensure they're compliant with the various requirements outlined by this law. Keep reading to learn more!

What is the VCDPA?

• Scope: Who is subject to the VCDPA?

• Consumer rights

• VCPDA enforcement

• Exemptions

How to Prepare for Virginia’s CDPA

• Complete data protection assessments

• Identify and limit “sensitive” data processing

• Develop a data request appeals process

• Provide opt-out for advertising and profiling

• Review third party contracts

Building a Compliant, Scalable Privacy Program

Passed on March 2, 2021, the Virginia Consumer Data Protection Act (VCDPA) established a “framework for controlling and processing personal data"—giving Virginia residents new data rights, while creating establishing data processing obligations for businesses under the bills purview.

The VCDPA enforcement date was Jan 1, 2023, so businesses who aren't already in compliance need to work fast to remedy the situation.

Additional resources

• To learn how VCDPA compares to other state privacy laws check out our detailed infographic.

• For a more comprehensive overview, check out the VCDPA full text.

Though not all businesses that handle consumer data are subject to VCDPA requirements, the bill's scope is fairly broad, applying to:

• For-profit organizations that conduct business within Virginia AND

• Businesses that target Virginia residents with their services or products

To be subject to CDPA provisions, any business that meets either of the above criteria must also:

• Process or control personal data from a minimum of 100,000 Virginia residents each calendar year OR

• Process the data of 25,000 Virginia residents while deriving at least 50% of gross revenue from selling personal data

The Virginia Consumer Data Protection Act gives consumers six new data rights rights, including the right to access, correct, delete, or transfer their personal data, as well as opt-out of data processing for the purposes of targeted advertising.

Once a consumer exercises one of these rights (making a request for access, deletion, etc.), VCDPA requires that the business responds within 45 days. Businesses can extend their response time another 45 days if necessary, but must notify the consumer.

We dive a bit further into each of these consumer rights below.

Right to access: Consumers have the right to access their data. This includes being able to confirm whether a controller is processing their personal data or not.

Right to correct: Virginia consumers also have the right to correct mistakes in the personal data a company holds about them.

Right to delete: Consumers have the right to delete their personal data. They can delete this data whether it was provided by them directly or obtained from another entity (like a lead purchasing platform).

Right to data portability: Under CDPA, consumers have the right to request a copy of their personal data. Businesses must relay the data to the consumer in an easily transmissible format.

Right to opt out: If their data is being processed for targeting advertising, Virginia consumers have the right to opt out. This is one of the few provisions in the CDPA that has no listed exceptions.

Right to appeal: If an organization can't fulfill a privacy request for any reason, consumers have the right to file an appeal. This means that businesses must establish a functional appeals process with a consumer-facing interface.

If an appeal is denied, the business must inform the consumer of their right to file a formal complaint with the Virginia attorney general. They must also explain how to file that complaint.

The Virginia CDPA does not include a private right of action, meaning that Virginia citizens cannot file lawsuits for VCDPA violations on their own behalf.

VCDPA enforcement falls exclusively to the Virginia attorney general. If the office of the attorney general elects to take action against a violator, they must notify the organization’s controller.

The controller must remedy the issue and submit a written notification stating that the violations have been resolved. Failure to comply can result in a fine of up to $7,500 per violation.

The Virginia CDPA has exemptions for specific entities and data types.

Exempted entities include:

• Virginia state and local governing bodies

• Organizations subject to the Health Insurance Portability and Accountability Act (HIPPA)

• Institutions subject to the Gramm-Leach-Bliley Act (GLBA)

• Non-profits

• Higher education institutions

Exempted data types include:

• Employee information

• Data already regulated by existing privacy laws (HIPPA, Fair Credit Reporting Act, Farm Credit Act, etc)

• Personal information from someone communicating with your company in a commercial setting i.e. the contact info for someone involved in a commercial negotation

The VCDPA went into effect on January 1, 2023 and, while understanding this new data privacy law is important, it's just one piece of the puzzle. Getting your business prepared for VCDPA compliance is where the rubber hits the road.

Building out effective privacy infrastructure can be complex and time consuming. Savvy organizations will start preparing now, so as not to open the door for civil liability or financial penalties.

Though the VCDPA enforcement date has already passed, affected businesses should consider the following steps.

If your organization engages in any "risky" data processing activities, a data protection assessment (DPA) is required. According to the VCDPA, businesses must conduct a DPA for the following activities:

• Processing data for targeted advertising

• Selling personal data

• Processing data for profiling

• Processing sensitive personal information

• Any processing activity that "present(s) a heightened risk of harm to consumers"

When working through a data protection assessment, you need to create a clear, documented structure for weighing the benefits and risks of your data processing activities. You should also include information on how you're de-identifying data, how you've set expectations with the consumer, and general context around the processing.

Though the VCDPA does not require that companies submit assessments to the Virginia attorney general, they must be made available for evaluation upon request.

The VCDPA defines two data types: personal and sensitive.

Personal data is “any information that is linked or reasonably linkable to an identified or identifiable natural person.”

Sensitive personal information (SPI) is defined as data that reveals a person's:

• Racial or ethnic origins

• Religious beliefs

• Physical or mental health

• Sexual orientation

• Immigration or citizenship status

• Biometric or genetic data

• Precise location

Any data about a "known child" also counts as SPI.

Under VCDPA, organizations may not process sensitive personal information without first getting consumer consent, stating that:

A controller shall [...] not process sensitive data concerning a consumer without obtaining the consumer's consent...

59.1-574

To remain compliant with this requirement, you first need to determine whether or not your company is processing sensitive data. If you are, then you need to determine where the data is being collected and how it's being processed.

From there, implement a consent manager that solicits consent before the processing begins, as well as an opt-out mechanism in case a consumer changes their mind after the fact.

The Virginia CDPA requires that companies establish a way for consumers to file an appeal if their privacy request is denied, stipulating that the appeals process must:

• Include an interface that's easy to find and use

• State a fixed time period for your company’s response

• Provide a way to contact the Virginia attorney general if your company denies the appeal

Information about how to submit an appeal also needs to be included in your company's privacy policy.

VCDPA defines targeted advertising as:

"...displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from a consumer's activities over time..."

 59.1-571

It defines profiling as:

"automated processing performed on personal data to evaluate, analyze, or predict personal aspects [of a] natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements."   59.1-571

VCDPA is an opt-out consent regime, meaning businesses may engage in these activities - targeted advertising and profiling - without getting consumer consent upfront. However, companies must give users a way to opt-out.

Implementing opt-out for targeted advertising and profiling often means installing a consent manager, which allow users to determine what, if any, tracking they'll allow while on a site.

For one reason or another, most organizations do end up sharing data with third party vendors.

Under VCDPA, this data sharing relationship must be governed by a detailed contract—one that covers how the data should be processed, why the data's being processed, how long the processing will last, and what's required of both parties.

The contract also needs language that specifically governs the data processors actions, requiring that:

• Any person processing personal data keeps said data confidential

• Data must be deleted or returned at the data controller's request

• The processor will provide proof of compliance if asked

• The processor will cooperate with compliance audits

For full view of what VCDPA requires for third-party contracts check out 59.1-575. Section B.

With 15 states considering privacy legislation in their 2022 session, Virginia’s new data privacy law is one among many.

Ensuring VCDPA compliant is an important step, but savvy organizations will use this as an opportunity to get ahead and build a privacy program that’s compliant and scalable.

Here are a few general recommendations for organizations looking to build privacy programs that support compliance today and scalability tomorrow.

Looking at the long-term, it’s clear privacy regulation is here to stay. With new legislation passing year after year, and more on the horizon, organizations should consider how to set themselves up for success today, tomorrow, and ten years from now.

Of course, predicting future legislation isn't easy. But current legislation and bills under consideration do offer compelling clues about where this sector is headed.

Consider the rules defined in recent bills and then assume those same obligations will show up, in some form or another, in all future privacy legislation.

For example, the VCDPA and the Florida Privacy Protection Act (currently under consideration for 2022), have the same provisions around scope. A business must:

• Process or control personal data from a minimum of 100,000 state residents each calendar year OR

• Process the data of 25,000 state residents and derive a minimum of 50% of gross revenue from selling personal data

Naturally, there will be exceptions and nuances with each new round of legislation, but legal precedent is powerful and it’s highly likely future privacy bills will share similar scope and structure.

In terms of strategies that work all across the board, data minimization is one that ever organization should consider. Data minimization addresses core privacy issues at the source–the less data you have to map, manage, and address, the less opportunities there are to become non-compliant.

Seek out comprehensive privacy solutions that will allow your organization to encode privacy across all data sources and automate manual tasks such as data subject requests, consent, and data mapping.

Automated platforms are more cost-effective than manual workflows or point solutions. Moreover, these technologies can help bridge the divide between legal, IT security, and engineering teams: minimizing complexity and ensuring everyone is on the same page.

Siloing privacy to a single team or individual is a recipe for poor productivity and wasted resources. Implementing data rights is, by nature, a cross-functional activity that spans across teams.

Investing in proper training and resources, while weaving the concept of privacy into the fabric of your organization will pay huge dividends as regulation evolves.

Going forward, businesses can expect to encounter more legislation like Virginia’s privacy law. New legislation is sure to originate at the state level and, eventually, is likely to come at the Federal level as well.

Navigating the nuances of these legal changes will only get more complex and savvy businesses will start preparing now. First, by learning how they’ll be affected by new legislation and then investing in people, programs, and solutions that ensure comprehensive internal compliance and data rights for consumers.

• How Can Businesses Start Preparing for the Virginia Consumer Data Protection Act? [Video]

• Virginia passes the Consumer Data Protection Act

• Getting ready for 2023: What Companies Can Do Now to Prepare for New Privacy Laws

• Virginia Consumer Data Protection Act Series

• Getting Ready for 2023: What Companies Can Do now to Prepare for New Privacy Laws

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.