The Virginia Consumer Data Protection Act

Virginia is making its mark in the data privacy landscape with the Virginia Consumer Data Protection Act (VCDPA), which took effect on January 1, 2023. This comprehensive law grants Virginia residents new rights regarding their personal information and imposes obligations on businesses that handle their data.

Key Provisions of the VCDPA:

  • Consumer Rights:

    • Right to Access: Consumers can request access to their personal data.

    • Right to Correction: Consumers can request correction of inaccurate personal data.

    • Right to Deletion: Consumers can request deletion of their personal data.

    • Right to Opt-Out: Consumers can opt-out of the processing of their personal data for purposes of targeted advertising, profiling, and sale.

    • Right to Data Portability: Consumers can request a copy of their personal data in a portable format.

  • Business Obligations:

    • Provide a Privacy Notice: Clearly inform consumers about your data practices.

    • Respond to Consumer Requests: Respond to consumer requests within 45 days.

    • Implement Reasonable Security: Protect personal data with appropriate security measures.

    • Conduct Data Protection Assessments: Assess risks for processing activities like targeted advertising, profiling, and the processing of sensitive data.

    • Obtain Consent: Obtain consent before processing sensitive data.

  • Sensitive Data:

    • The VCDPA provides heightened protection for sensitive data, which it defines as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.1 Businesses must obtain consent to process this type of data.

Who does the VCDPA apply to?

The VCDPA applies to businesses that conduct business in Virginia or provide products or services to Virginia residents and meet one of the following thresholds:

  • Control or process the personal data of at least 100,000 consumers.

  • Control or process the personal data of at least 25,000 consumers and derive over 50% of their gross revenue from selling personal data.

Why is the VCDPA important?

The VCDPA is a significant step in protecting consumer data privacy in Virginia. It's essential for businesses to understand and comply with the VCDPA to avoid legal and financial risks, build trust with customers, and foster a culture of responsible data handling.

How Aetos Can Help:

Aetos Data Consulting provides expert guidance and support to help businesses navigate the complexities of the VCDPA. Our services include:

  • VCDPA compliance audits

  • Policy development and implementation

  • Training and awareness programs

  • Data subject request management

Contact us today to learn more about how we can help your business achieve and maintain VCDPA compliance.

Check out other state laws