Do you run a for-profit organisation in the United States that processes personal and sensitive consumer data? If so, you may be concerned about the growing number of data privacy laws cropping up from state to state.
Ever since the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, four other US states — Connecticut, Colorado, Utah and Virginia — have passed their own data privacy laws. Each law uses the CCPA as a foundation but slightly deviates from the formula. This is a problem for US organisations, as they cannot apply the same CCPA compliance framework everywhere else.
In this article, you’ll learn what makes the Virginia Consumer Data Protection Act (VCDPA) unique and how to ensure compliance.
What is the VCDPA?
Signed by Governor Ralph Northam on 2 March 2021, and brought into effect on 1 January 2023, the VCDPA is a new data privacy law. It gives Virginia residents certain rights regarding how organisations process their personal and sensitive consumer data.
The law contains several provisions, which define:
- Who must follow the VCDPA
- Who is exempt from the VCDPA
- The consumer rights of data subjects
- Relevant terms, such as “consumers,” “personal data,” “sensitive data” and the “sale of personal data”
- The rights and responsibilities of data controllers
- What applicable organisations must do to ensure VCDPA compliance
These guidelines define the data collection practices that VCDPA-compliant organisations must comply with. The practices are designed to protect the rights of Virginia residents who have their personal or sensitive data collected.
What are the consumer rights of VCDPA data subjects?
There are seven consumer rights that protect residents who fit the definition of “data subjects” under the new Virginia data privacy law.
A data subject is an “identified or identifiable natural person” who has their information collected. Personally identifiable information includes a person’s name, address, date of birth, religious beliefs, immigration status, status of child protection assessments, ethnic origin and more.
Below is a detailed breakdown of each VCDPA consumer right:
- Right to know, access and confirm personal data: Data subjects have the right to know that their data is being collected, the right to access their data and the right to confirm that the data being collected is accurate and up to date.
- Right to delete personal data: Data subjects have the right to request that their collected personal or sensitive consumer data be deleted.
- Right to correct inaccurate personal data: Data subjects have the right to request that their collected data be corrected.
- Right to data portability: Data subjects have the right to obtain their collected data and, when reasonable and possible, request that their collected data be transferred from one data controller to another.
- Right to opt out of data processing activity: Data subjects have the right to opt out of having their personal or sensitive data collected.
- Right to opt out of the sale of personal and sensitive consumer data: Data subjects have the right to opt out of having their collected data sold to third parties.
Right to not be discriminated against for exercising one’s rights: Data subjects have the right to not be discriminated against for exercising their right to not have their personal or sensitive consumer data collected, processed and sold to third parties for targeted advertising or other purposes.
Who must comply with the VCDPA?
The VCDPA applies to for-profit organisations. Specifically, those that operate and offer products or services in the state of Virginia.
Additionally, for-profit organisations that fit under either of these two categories must comply with the VCDPA:
- Collect and process the personal data of at least 100,000 Virginia residents within a financial year or
- Collect and process the personal data of at least 25,000 Virginia residents and receive at least 50% of gross revenue by selling personal or sensitive data.
If a for-profit organisation resides out of the state of Virginia and falls into one of the categories above, they must comply with the VCDPA. Eligibility requirements also apply, regardless of the revenue threshold of the organisation in question. Large organisations can avoid VCDPA compliance if they don’t meet either of the above two eligibility requirements.
What types of consumer data does the VCDPA protect?
The two main types of data that apply to the VCDPA are personal and sensitive data.
Personal data is either identified or personally identifiable information, such as home address, date of birth or phone number. Information that is publicly available or has been de-identified (dissociated with a natural person or entity) is not considered personal data.
Sensitive data is a category of personal data. It’s data that’s either the collected data of a known child or data that can be used to form an opinion about a natural person or individual. Examples of sensitive data include information about a person’s ethnicity, religion, political beliefs and sexual orientation.
It’s important that VCDPA-compliant organisations understand the difference between the two data types, as failure to do so could result in penalties of up to $7,500 per violation. For instance, if an organisation wants to collect sensitive data (and they have a valid reason to do so), they must first ask for consent from consumers. If the organisation in question fails to do so, then they’ll be in violation of the VCDPA, and may be subject to multiple penalties — equal to however many violations they incur.
A 5-step VCDPA compliance framework
Getting up to speed with the terms of the VCDPA can be challenging, especially if this is your first time encountering such a law. That said, even organisations that have experience with data privacy laws should still take the time to understand the VCDPA.
Here’s a simple 5-step VCDPA compliance framework to follow.
1. Assess data
First off, take the time to become familiar with the Virginia Consumer Data Protection Act (VCDPA). Then, read the content from the ‘Who does the VCDPA apply to’ section of this article, and use this information to determine if the law applies to your organisation.
How do you know if you reach the data subject threshold? Easy. Use a web analytics platform like Matomo to see where your web visitors are, how many of them (from that specific region) are visiting your website and how many of them you’re collecting personal or sensitive data from.
To do this in Matomo, simply open the dashboard, look at the “Locations” section and use the information on display to see how many Virginia residents are visiting your website.
Using the dashboard will help you determine if the VCDPA applies to your company.
2. Evaluate your privacy practices
Review your existing privacy policies and practices and update them to comply with the VCDPA. Ensure your data collection practices protect the confidentiality, integrity and accessibility of your visitors.
One way to do this is to automatically anonymise visitor IPs, which you can do in Matomo — in fact, the feature is automatically set to default.
Another great thing about IP anonymisation is that after a visitor leaves your website, any evidence of them ever visiting is gone, and such information cannot be tracked by anyone else.
3. Inform data subjects of their rights
To ensure VCDPA compliance in your organisation, you must inform your data subjects of their rights, including their right to access their data, their right to transfer their data to another controller and their right to opt out of your data collection efforts.
That last point is one of the most important, and to ensure that you’re ready to respond to consumer rights requests, you should prepare an opt-out form in advance. If a visitor wants to opt out from tracking, they’ll be able to do so quickly and easily. Not only will this help you be VCDPA compliant, but your visitors will also appreciate the fact that you take their privacy seriously.
To create an opt-out form in Matomo, visit the privacy settings section (click on the cog icon in the top menu) and click on the “Users opt-out” menu item under the Privacy section. After creating the form, you can then customise and publish the form as a snippet of HTML code that you can place on the pages of your website.
4. Review vendor contracts
Depending on the nature of your organisation, you may have vendor contracts with a third-party business associate. These are individuals or organisations, separate from your own, that contribute to the successful delivery of your products and services.
You may also engage with third parties that process the data you collect, as is the case for many website owners that use Google Analytics (to which there are many alternatives) to convert visitor data into insights.
Financial institutions, such as stock exchange companies, also rely on third-party data for trading. If this is the case for you, then you likely have a Data Processing Agreement (DPA) in place — a legally binding document between you (the data controller, who dictates how and why the collected data is used) and the data processor (who processes the data you provide to them).
To ensure that your DPA is VCDPA compliant, make sure it contains the following items:
- Definition of terms
- Instructions for processing data
- Limits of use (explain what all parties can and cannot do with the collected data)
- Physical data security practices (e.g., potential risks, risk of harm and control measures)
- Data subject rights
- Consumer request policies (i.e., must respond within 45 days of receipt)
- Privacy notices and policies
5. Seek expert legal advice
To ensure your organisation is fully VCDPA compliant, consider speaking to a data and privacy lawyer. They can help you better understand the specifics of the law, advise you on where you fall short of compliance and what you must do to become VCDPA compliant.
Data privacy lawyers can also help you draft a meaningful privacy notice, which may be useful in modifying your existing DPAs or creating new ones. If needed, they can also advise you on areas of compliance with other state-specific data protection acts, such as the CCPA and newly released laws in Colorado, Connecticut and Utah.
How does the VCDPA differ from the CCPA?
Although the VCDPA has many similarities to the CCPA, the two laws still have their own approach to applying the law.
Here’s a quick breakdown of the main differences that set these laws apart.
Definition of a consumer
Under the VCDPA, a consumer is a “natural person who is a Virginia resident acting in an individual or household context.” Meanwhile, under the CCPA, a consumer is a “natural person who is a California resident acting in an individual or household context.” However, the VCDPA omits people in employment contexts, while the CCPA doesn’t. Hence, organisations don’t need to consider employee data.
Sale of personal data
The VCDPA defines the “sale of personal data” as an exchange “for monetary consideration” by the data controller to a data processor or third party. This means that, under the VCDPA, an act is only considered a “sale of personal data” if there is monetary value attached to the transaction.
This contrasts with the CCPA, where that law also counts “other valuable considerations” as a factor when determining if the sale of personal data has occurred.
Right to opt out
Just like the CCPA, the VCDPA clearly outlines that organisations must respond to a user request to opt out of tracking. However, unlike the CCPA, the VCDPA does not give organisations any exceptions to such a right. This means that, even if the organisation believes that the request is impractical or hard to pull off, it must comply with the request under any circumstances, even in instances of hardship.
Ensure VCDPA compliance with Matomo
The VCDPA, like many other data privacy laws in the US, is designed to enhance the rights of Virginia consumers who have their personal or sensitive data collected and processed. Fortunately, this is where platforms like Matomo can help.
Matomo is a powerful web analytics platform that has built-in features to help you comply with the VCDPA. These include options like:
- Cookie-less tracking
- Creating consumer consent and opt-out forms
- Giving consumers access to their personal data
Try out the free 21-day Matomo trial today. No credit card required.