The Virginia Consumer Data Protection Act (VCDPA) was signed into law on March 2, 2021 and will take effect on January 1, 2023.
What is the Virginia Consumer Data Protection Act?
The VCDPA is said to be a simplified version of the Washington Privacy Act, and also shares many similarities with the California Consumer Privacy Act (CCPA).
The purpose of the VCDPA is to give elevated rights to Virginia consumers in relation to the way companies use and protect their personal data. The VCPDA also dictates how companies respond to requests from their customers.
VCDPA Requirements for Data Controllers
Under the VCDPA, the data controller (the entity that determines the purpose and means of processing PII) is required to take the following actions when requested:
- Provide access to personal data
- Provide a copy of personal data in a portable format
- Ensure that the personal data they process is accurate/up-to-date
- Delete personal data
- Give consumers the option to opt-out of PII processing activities that are used for targeted advertising, profiling (to make decisions) and the sale of their data
A data controller typically has 45 days to respond to a request, however, the timeline can be extended under certain conditions.
Who Does the VCDPA Apply to?
The VCDPA applies to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”
Penalties for Failing to Comply
A failure to comply with the VCPDA could result in penalties of up to $7,500 per violation, in addition to attorney’s fees. However, unlike the CCPA, consumers do not have a right to privately sue companies for alleged VCDPA violations.
How Does the VCDPA Differ from the CCPA?
While there are many similarities between the VCDPA and the CCPA, there are some subtle but important differences that need to be taken into consideration. For example, the VCDPA contains additional requirements, which include:
- Broader affirmative consent or opt-in requirement, which includes “personal data of an individual known to be a child”.
- Broader opt-out rights, which covers the sale of personal data, targeted advertising, and profiling.
- Mandatory data protection assessments, to prevent any processing of personal data that presents a “heightened risk of harm to consumers.”
- Obligation to confirm processing and broader deletion requirements, which covers personal data not only collected from, but also collected “concerning” a consumer.
- Conspicuously disclosed, mandatory right of appeal process, which requires a clear privacy notice, and may require changes to any automated processes you have in place relating to consumer requests.
- Specific processor role-based requirements, where the processor is required to demonstrate compliance to the supervisory authorities.
- Different data minimization standards, which places a greater emphasis on transparency to consumers about how they plan to use their data.
How to Comply with the VCDPA
The current documentation about how to comply with the VCDPA is sparse, which isn’t surprising given that it was only recently signed into law. However, since the VCDPA is loosely modelled around the CCPA, we can make logical assumptions about the steps that need to be taken in order to comply, taking into consideration the additional requirements listed above. The best place to start would be to spend time thinking about what you plan to do with a users’ personal data, what measures you have in place to quickly locate their data, as well as the security controls in place to protect their data.
Identify verification: When a customer submits a Subject Access Request (SAR), companies must ensure that they can verify the identity of the requester to ensure that they are not disclosing personal information to the wrong person. Identity verification is a complex subject which goes beyond the scope of this article, however, the simplest, and perhaps most widely adopted system for accurately verifying a users’ identify, would be to use multi-factor authentication, which requires additional information to login such as a passcode sent to their mobile device or some form of biometric information.
Data classification: The ability to quickly and accurately locate a data subject’s personal information is crucial, not only to comply with the VCDPA, but also for most other data privacy regulations, such as GDPA, CCPA, HIPAA, SOX, and so on. Many organizations store large amounts of unstructured data, scattered across multiple locations, which can make responding to SARs a nightmare. A data classification solution will scan your repositories (both on-premise and cloud-based) and automatically classify your data, and even classify data at the point of creation/modification. Most sophisticated solutions will give you the option to specify which data privacy regulations apply to your industry and classify the data accordingly. It should also be noted that the VCDPA has a “broader deletion requirement”, which also includes data collected “concerning” a consumer, and not just data that is processed on the consumers behalf. However, it should be noted that the vendor of your data classification solution will most likely take this into account when developing a template for VCDPA.
Fast and Granular Reporting: In order to comply with both the CCPA and the VCDPA, companies must be transparent about the way they collect, process, store and share personal information. This includes information about who is accessing the data, what they do with, and when.
As such, companies must maintain an immutable record of all events concerning any personal data they interact with. They must be able to easily monitor these events, as well as perform various filtering operations to quickly locate the relevant events.
The company must also be able to demonstrate this knowledge to the supervisory authorities at a moment’s notice.
How Lepide Helps
Most sophisticated Data Security Platforms provide a reporting console that can generate pre-defined, oven-ready reports at the click of a button, which are customized according to the relevant data privacy laws. If you are using multiple platforms, such as an on-premise Active Directory environment, used alongside Azure AD, or some other cloud platform, you will need a solution that can aggregate and correlate event data from each platform and display the results via a centralize dashboard.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your sensitive data and help you be compliant with the Virginia Consumer Data Protection Act, schedule a demo with one of our engineers or start your free trial today.