Virginia Legislature Enacts Law to Protect Consumer Privacy: Big Consequences for Business Owners

Does your business deal with a consumer’s personal data? Does your business interact with Virginia residents? If so, your business operations could be greatly affected by a new law aimed at protecting consumer privacy. Set to take effect January 1, 2023, the Virginia Consumer Data Protection Act (“VCDPA”) will grant Virginia residents the rights to access, correct, delete, know, and opt-out of the sale and processing for targeted advertising purposes of their personal information. It will also grant consumers the right to data portability and the right to not be discriminated against for exercising any of the rights granted thereunder, except in the case of loyalty programs.

So what does this mean for business owners? The VCDPA limits businesses’ collection and use of personal data and requires the implementation of technical safeguards.  The VCDPA explicitly limits the collection and processing by controllers of personal data to that which is reasonably necessary and compatible with the purposes previously disclosed to consumers.  Relatedly, controllers must obtain consent from consumers before processing personal data collected for another stated purpose.

Furthermore, the VCDPA requires that businesses establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data,” as appropriate to the volume and nature of the personal data at issue. The act requires controllers to conduct “data protection assessments,” similar to the data protection impact assessments required under the GDPR, to evaluate the risks associated with processing activities that pose a heightened risk – such as those related to sensitive data and personal data for targeted advertising and profiling – and the sale of personal data. Finally, the VCDPA requires that all aspects of the controller-processor relationship be governed by a data processing agreement.

These new restrictions and requirements will force data companies to undertake major efforts to comply with the law. To see if your business is covered by the VCDPA and how its components could affect your business operations, contact us at Weiss LLP to help guide you through the necessary changes and ensure that your business remains profitable and thriving.