Marquee Background
Marquee Background

Offit Kurman Blogs

Litigation

The Virginia Consumer Data Protection Act: Is your Business Ready?

January 16, 2023

By Anders Sleight

Following California’s lead, Virginia became the second state to enact a data privacy statute.  VA Senate Bill 1392.  The Virginia Consumer Data Protection Act (VCDPA) went into effect on January 1, 2023.  Here’s what you need to know.

Personal Consumer Data Rights

Each individual Virginia resident may exercise the following data privacy rights:

  1. Confirmation: The right to confirm whether or not an entity or individual is processing your personal information and to access such personal data;
  2. Correction: The right to correct inaccuracies in your consumer personal data, taking into account the nature of the personal data and the purposes of the processing of your consumer personal data;
  3. Deletion: The right to delete personal data provided by or obtained about you;
  4. Copies: The right to obtain a copy of your consumer personal data that you previously provided to a Data Processor in a portable and readily usable format; and
  5. Opt-out: The right to opt out of any processing of personal data for (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

Who is Subject to the VCDPA?

  • Controllers: a person or entity that determines the purpose and means of processing personal data
  • Processors: a person or entity that processes personal data on behalf of a controller

Data Controller Obligations:

  1. Limitations: Must limit collection of personal data to that which is adequate, relevant and reasonably necessary;
  2. Disclosure: Cannot collect personal data for purposes inconsistent with the disclosed purposes for which data is collected;
  3. Data Security: Must establish and maintain reasonable data security practices
  4. Anti-Discrimination: Prohibited from discriminating against consumers in processing data, including a consumer’s exercise of rights under the VDCPA
  5. Consent: Obtain consumer consent before processing sensitive data
  6. Privacy Policy: must be reasonably accessibly and inform consumers of their rights, among other requirements
  7. Online Submission: must establish a system for consumers to submit data rights requests.
  8. Appeals: consumers have the right to appeal decisions regarding consumer data rights requests if action is not taken in response to a request. Controllers need to establish a system to determine appeals.

How is the VCDPA Enforced?

  • Exclusive enforcement by the Attorney General of Virginia
  • Enforcement actions authorized; damages of up to $7,500.00 per violation
  • No private right of action. Individuals and entities cannot sue under the VCDPA.

Exceptions and Exemptions

  • A controller or processor is not subject to the VDCPA unless it
    • Controls or processes personal data of at least 100,000 Virginia residents; or
    • Controls or processes personal data of at least 25,000 Virginia residents and derives over 50 percent of gross revenue from the sale of personal.
    • Financial institutions regulated by the Gramm Leach Bliley Act are exempt.

These are just a few of the requirements of the VDCPA, which could change as Virginia begins its 2023 legislative season.  If you or your organization may be subject to the VCDPA, reach out to Anders Sleight | Offit Kurman today to discuss your obligations and compliance management.

Categories: Litigation

Related People

Related Services

  • Posts
  • About
  • Subscribe

Firm Highlights