On the 2nd of March 2021, the Virginia Consumer Data Protection Act (VCDPA) was passed by the state’s governor and is planned to come into effect at the beginning of 2023.
The act by its official name S.B. 1392; H.B. 2307 regulates how companies that handle personal data must comply with the protection of this information and permits the consumers to exercise their rights to access and control their personal information.
VCDPA is the second major privacy law in the United States of America after the California Privacy Rights Act (CCPA), both of which are following the European GDPR model.
Following this trend, many states are soon to pass their own legislation regarding privacy and personal data security.
The VCDPA targets all institutions, organizations, or entities “who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and whom over the period of a year either:
“(1) control or process personal data of at least 100,000 Virginia residents, or (2) derive over 50% of gross revenue from the sale of personal data (though the statute is unclear as to whether the revenue threshold applies to Virginia residents only) and control or process personal data of at least 25,000 Virginia residents.”
So if you have a website that targets people from Virginia, make sure you are complying with this future legislation by:
updating your notices
implementing data minimization
setting up a possible appeal method
providing the option to opt-out for sensitive data
evaluating your privacy, security, and reporting procedures.
Similar to the other previous privacy laws, VCDPA defines the rights of the consumers, as in the individuals whose data is being collected, and the obligations of the controllers, the entities that gather and store this data.
According to the Virginia Consumer Data Protection Act, individuals have the right to:
While the controllers must make sure to:
In this next part, we will discuss the similarities and differences between CCPA and VCDPA.
Let's start with the definition of personal data.
According to CCPA, it is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, while the VCDPA defines it as any information that is linked or reasonably linkable to an identified or identifiable natural person.
In terms of penalties and fines, both laws state that non-compliant businesses will have to pay casualties of up to $7,500 per violation, which is very low compared to the GDPR fines.
According to the CCPA data processing activities that might be considered of significant risk to consumer privacy will annual audits and assessments, while for VCDPA data protection assessments need to be conducted when:
You can see a more detailed comparison between VCDPA and CCPA here.
In order to be fully privacy compliant, we recommend you start by installing a website analytics tool that guarantees data security.
TWIPLA is one of those tools as it does not use cookies to track your visitors and it does not share the data with any third parties. You have full control over the personal information you collect.
Gain World-Class Insights & Offer Innovative Privacy & Security
Receive a monthly summary of website intelligence news, advice, and also product updates. And don't worry, we won't tell sales!