United States: The Virginia Consumer Data Protection Act will go into effect in 2023 | So Good News

In short

Companies worldwide are required to comply with the Virginia Consumer Data Protection Act (VCDPA) based on the data of Virginia consumers. With the VCDPA, Virginia complies with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) but does not include information about employees and business representatives in its scope.

Contents

1. Who is data protected?
2. Who should follow?
3. What to follow?

Businesses that have adopted CCPA compliance procedures may use some of their vendor agreements, web site disclosures and data rights response procedures to meet requirements under the VCDPA. However, the VCDPA has some special requirements that may require specific VCDPA procedures to comply with. For example, the VCDPA requires businesses to obtain consent before processing their personal information, and to review their data protection practices when processing personally identifiable information or engaging in personal activities such as marketing, sales or promotion. Unlike the CCPA and other privacy laws, the VCDPA does not give the Virginia Attorney General administrative authority. Any changes in the VCDPA must be made through amendments by the legislature.

The VCPDA will come into force on 1 January 2023 and will not include a retrospective period for infringements.

Who is data protected?

The VCDPA protects “consumers”, which the law defines as individuals or households in Virginia. People who work or trade are exempt from protection.

The VCDPA defines “personal information” as information that is associated or reasonably associated with an identifiable or known individual, but does not include information that is not publicly available or identifiable. Unlike the CCPA, the VCDPA does not protect proprietary information.

The VCDPA includes the exclusion of certain types of data and entities. This includes the non-availability of organizations governed by the Gramm-Leach-Bliley Act (GLBA) and other data stored by public services, employment records, protected health information processed by business entities and businesses covered by Health Insurance Portability and Accountability Act, etc. types of information already established under other federal laws, including the GLBA, the Family Educational Rights and Privacy Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act (COPPA).

Who should follow?

Unless the exemption applies, the VCDPA applies to “controllers” and “processors” who do business in Virginia or sell products or services that are intentionally provided to Virginia residents, and meet one of the following criteria: the business (i) controls or manages the data of 100,000 or more customers per calendar year; or (ii) controls or processes the information of at least 25,000 consumers and earns more than 50 percent of the total revenue from the sale of your products.

“Controller” is synonymous with “business” under the CCPA and is defined as a person who, alone or jointly with others, determines the objectives and methods of operation of the corporation. “Processor” is the same as “service provider” under the CCPA and is defined as a person who processes personal data on behalf of the controller. To be a “processor” under the VCDPA, a company must process the data on behalf of the controller. The VCDPA mandates that processors comply with the instructions of the controller and assist the controller in fulfilling the controller’s obligations, and the two parties must agree to certain principles mandated by the VCDPA.

What to follow?

Privacy Notices. Under the VCDPA, controllers must provide privacy information that includes: (i) the categories of personal data that the controller owns; (ii) the purpose of processing your content; (iii) how consumers can exercise their rights, including information about the controller and how the consumer can appeal the decision of the controller regarding the consumer’s request; (iv) categories of personal information that the controller shares with third parties, if any; and (v) third party groups, if any, with whom the controller shares personal information. Unlike the CCPA, the VCDPA does not require that personal information be provided prior to collection and does not require the inclusion of other elements required by the CCPA such as information about the source, the procedures the controller follows to verify the request, or information about the financial transactions that are provided in exchange for collecting, storing or selling personal information. However, depending on the nature of the business and its documentation, many businesses can use their privacy notices to comply with the VCDPA by amending the notices to include statements about the right under the VCDPA to appeal a data controller’s decision. study requests.

The VCDPA also requires controllers that “sell” personal information to third parties or process personal information for marketing purposes to clearly disclose such processing, and how the consumer can exercise the right to opt-out. Unlike the CCPA, the VCDPA’s definition of “sale” of personal property is limited to the exchange of personal property for financial consideration. The VCDPA also exempts certain types of disclosures from being a “sale” of personal data, such as disclosures to a processor to process personal data, disclosures of personal information to a third party for the purpose of providing a product or service. requests by consumers, disclosures to an affiliate and controller, disclosures to third parties as part of a merger or similar transaction, or disclosures of personal information that are intentionally provided by a consumer to the general public or media.

Sensitive Data. Unlike the CCPA, which would establish an “opt-in” system for processing personal information beyond certain legitimate purposes, the VCDPA requires consumers to “opt-in” to the processing of their personal information.

The VCDPA defines “personally identifiable information” to mean certain legal categories of data, including personal data that discloses an individual’s race, ethnicity, religious beliefs, mental or physical illness, sex, citizenship or immigration status; personal data from an identified child (under the age of 13); processing of genetic or biometric data for the purpose of personal identification; and accurate geolocation data.

In fact, fitness trackers, delivery software services, and other businesses that offer recommendations and/or services based on a consumer’s own location must ensure that they receive consent from users before processing their information. When dealing with children’s data, companies must obtain consent from parents or guardians in accordance with COPPA’s parental consent requirements.

Technical Standards and Organization, Evaluation. The VCDPA requires regulators to establish, implement, and maintain effective administrative, technical and data security procedures, and to review and document data security assessments before undertaking any processing that may pose a significant risk to consumers. The VCDPA considers content processing to be for the purpose of advertising or listing, selling your products, and to improve content that is important to consumers.

The CCPA originally did not have any monitoring requirements, but the California Privacy Protection Agency has a duty under the CCPA to issue regulations that will also require monitoring and risk assessment. Companies must support inspections conducted under the VCDPA to comply with the CCPA and other US government privacy laws.

Data Processing Agreement. Before the processor begins processing on behalf of the controller, the processor must enter into an agreement that includes terms similar to those required under other US government privacy laws (and the GDPR), including the controller’s instructions for processing and the processor’s obligations. . (1) keep your information private; (2) remove or return all personal data to the controller as required at the end of the service, unless the retention of your data is required by law; (3) upon request, provide data to the controller; (4) cooperate with third party reviews; and (5) complete similar contracts with subcontractors. Data processors must follow the instructions of the regulator and use appropriate technical and organizational measures to assist the regulator in fulfilling its obligations under the VCDPA. Businesses should continue to draft their contracts and keep standards in mind where possible (see Harmonizing data processing contracts around the world).

Freedom of Data Subjects. Under the VCDPA, consumers have the right to know whether the controller is collecting their personal information, to access the information collected, download and delete the content from the platform in a way that allows transfer to another, and control and deletion. personal information stored on them. Users also have the right to opt out of selling their personal information, or using their personal information for targeted marketing and other forms of profiling.

Responding to Freedom of Information Requests. To exercise its rights, the VCDPA allows consumers to, upon confirmation, receive responses to consumer requests without delay but in any case within 45 days of receipt of the request. The regulator can extend this period by another 45 days if necessary, and the consumer will have the ability to appeal any decision made by the regulator under the regulator’s appeals process (which the VCDPA requires the regulator to establish). The appeals process must provide the consumer with a response to the appeal within 60 days and must provide the consumer with information on how to contact the Virginia Attorney General if the consumer has concerns about the outcome of any appeal. This is in contrast to the CCPA, which does not mandate an appeal.

Penalties and remedies. Unlike the CCPA, there are no privacy rights provided by the VCDPA, but the Virginia Attorney General can bring criminal prosecution or fines of up to USD 7,500 for violations. The Virginia Attorney General must first provide notice of the violation to the regulator and allow 60 days to cure before taking action. Like the CCPA, the VCDPA creates a consumer privacy fund that will support the actions of the Virginia Attorney General to enforce the VCDPA.