Virginia VCDPA Privacy Policy Template

If your company will be collecting personal information from the residents of Virginia who register for your services online or visit your website, then you are required to comply with the terms of the state's Consumer Data Protection Act (VCDPA).

The VCDPA became effective on January 1, 2023.

This article will explain what the VCDPA is, what it requires, and how to comply with it.

What is VCDPA?

VCDPA (Virginia Consumer Data Protection Act) is a privacy legislation that applies to anyone that does business in the Commonwealth of Virginia.

Virginia's VCDPA brings the United States a giant leap forward toward the same kind of rigid privacy and data security laws found in the European Union. Some have also compared the VCDPA to California's Consumer Privacy Act (CCPA), which, until the VCDPA passed, was the most stringent data privacy law in the United States.

However, the VCDPA surpasses the CCPA in its imposition upon companies of security and assessment requirements.

Who Does the VCDPA Apply to?

The VCDPA applies to anyone that does business in the Commonwealth of Virginia. It also applies to those who provide services or who produce products targeted to the state's residents.

Additionally, the VCDPA applies to you if your company:

• Processes or controls the personal data of at least 25,000 consumers, and you obtain more than 50 percent of gross revenue from selling that information, or
• Processes or controls the personal information of at least 100,000 consumers in the space of one calendar year

Who is a Consumer?

The law's definition of consumer is "a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context."

What is Personal Data?

According to the VCDPA, the definition for "Personal Data" is "any information that is linked or reasonably linkable to an identified or identifiable natural person." Exceptions to this definition include:

• Publicly available information
• Data which has been de-identified (information that "cannot reasonably be linked to an identified or identifiable natural person [or] a device linked to such person")

Types of Personal Data

The VCDPA outlines what kinds of personal information are considered private and which you must protect. These are:

• Precise geolocation data
• Any information that reveals ethnic or racial origin
• Religious beliefs
• Sexual orientation
• Mental or physical health diagnoses
• Immigration or citizenship standing
• Biometric data
• Personal information collected from a known minor

What is Consent?

Under the VCDPA, "consent" is "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." You are required to acquire the explicit consent of Virginia residents before processing any of their personal information.

Here's an example of getting consent to send marketing information to someone with a checkbox to show consent is granted when checked:

What's the Penalty for Not Having a VCDPA-Compliant Privacy Policy?

If you fail to maintain a VCDPA-compliant Privacy Policy, you could end up facing a fine of up to $7,500 per violation. Many will consider that a pretty hefty price tag for a violation. However, business owners need to consider that the company may also have to pay "reasonable expenses" incurred while preparing and investigating the case in addition to the fine.

Reasonable expenses may also include attorney's fees.

VCDPA-Compliant Privacy Policies FAQs

You may find answers to the list of the following questions useful.

Do I need to have a VCDPA-compliant Privacy Policy?

If you do business in the Commonwealth of Virginia, then yes.

You must provide a Privacy Policy that discloses information such as:

• The categories of personal information you process
• What categories of personal information you share with third parties
• What categories of third parties you share information with
• Why you collect that information
• How consumers can exercise their rights
• Contact information

Here's an example of how a Privacy Policy clause discloses the use of personal information:

If I already have a Privacy Policy, how do I update it for the VCDPA?

To update your existing Privacy Policy for VCDPA-compliance, first remember that it must be "reasonably accessible, clear, and meaningful."

Lawmakers weren't super clear about what that actually means. However, if you use the CCPA as a model (whose legislators were more conscientious in providing businesses with clear definitions and instructions), then in addition to ensuring the information mentioned above is included, you'll want to:

• Make sure your Privacy Policy is written in clear and easy-to-understand language. Leave out technical and legal jargon.
• Use a layered format. Use a structure for your Privacy Policy that makes it easy for the reader to scan quickly for relevant information.
• Post your Privacy Policy in a prominent location on your website or link to it from that location (common areas include your website's footer, beneath opt-in forms, and on check-out forms). Additionally, ensure that any link to your Privacy Policy is conspicuous and does not blend in with surrounding text. Here's an example of a Privacy Policy link displayed in a site footer:



• Provide consumers with the option to download and print your Privacy Policy. Also, format your Privacy Policy so that if someone prints it out, it remains easy to read.

How do I make my VCDPA Privacy Policy Enforceable?

To ensure that your Privacy Policy is enforceable, you need to get consent. You can do this by including a button or unticked checkbox next to text that states, "I have read and agree to the terms of the Privacy Policy." The button should say "I Agree" or something similar.

Here's an example of this:

We'll address this more later in the consent chapter of this article, towards the end. But keep in mind that you must get consent to your Privacy Policy for it to be legally enforceable.

How to Create a VCDPA-Compliant Privacy Policy

In essence, to create a Privacy Policy that's as airtight as possible, you'll want to ensure that:

• Consumers understand what their rights are when it comes to data privacy.
• You are transparent about how you'll comply with the wishes of consumers when they exercise their rights.
• Consumers understand you won't discriminate against them for exercising their rights.

Before you begin writing your Privacy Policy, you'll also want to conduct a self-audit of your privacy and data protection practices. That way, you'll better know what specific information you need to disclose.

Types of Information You Collect

Your Privacy Policy needs to have as one of its main sections the type of data your company collects. As noted previously, you need to be transparent about the categories of information that you collect.

For example, this sample clause lists an incredibly long list of personal data categories being collected from customers and the specific types of data collected:

While the screenshot above provides a quick snapshot of how a company lays out its data collection practices in its Privacy Policy, pay attention to how thorough and comprehensive the clause is with disclosing data collection practices.

A context and specific types of data are given for each instance where information is collected:

• Account Registration: We collect your name, contact information, and password information when you create an account. We also collect information relating to the actions that you perform while logged into your account.
• Client Information: We collect the name and contact information of our clients and their employees with whom we may interact.
• Cookies and First Party Tracking: We use cookies and clear GIFs. "Cookies" are small pieces of information that a website sends to a computer's hard drive while a website is viewed.
• Cookies and Third-Party Tracking: We participate in behavior-based advertising, which means that a third party uses technology (e.g., a cookie) to collect information about your use of our website so that they can provide advertising about products and services tailored to your interests on our website, or on other websites.
• Coupons/Loyalty Program Information: We may collect your telephone number, email address, name and other contact information, birthday, gender, location information, personal preferences, and password information to administer loyalty and coupon programs.

The clause goes on to list other categories for which personal information is collected. These include:

• Demographic Information
• Distance Information
• Email Interconnectivity
• Employment (Prospective)
• Feedback/Support
• Mailing List
• Mobile Devices
• Order Placement
• Partner Promotion
• Surveys
• Sweepstakes or Contests
• Website Interactions
• Web logs
• Wish Lists

Use of Data and Processing Information

The next section you should include is how you use and process personal information. A Virginia-based company that lays everything out on the table is DXC.technology. Like Dollar Tree, it goes into explicit detail as to how consumer information is both used and processed.

Just one example is how the company uses data to fulfill transaction requests:

A few other ways DXC uses and processes consumer data is to:

• Personalize the user experience on websites
• Provide support for customers
• Marketing to customers
• Aid in recruitment efforts
• Monitor or record calls, chats, and other interactions
• Help protect the company's rights and property

Who You Share Data With

Every company that collects personal information from its customers should specify the information they share with third parties as well as what category of third parties it shares data with.

Here's how General Dynamics discloses this information:

How Consumers Can Exercise Their Rights

Make sure you include a section that details how consumers can exercise their rights under the VCDPA.

Northrop Grumman provides the information consumers need, but they certainly aren't as simple and easy to understand in their language as perhaps they should be:

Contact Information

Your customers should always know how to contact you to discuss the information you collect on them or your Privacy Policy in general. All you need here is a simple contact clause. Keep in mind that the more ways you give customers to contact you, the better.

General Dynamics provides a super simple, brief statement about how customers can contact the company regarding its Privacy Policy and other matters:

Next we'll look at how you can display and get consent to your Privacy Policy to ensure it's accessible and legally enforceable.

Displaying and Getting Consent to Your VCDPA Privacy Policy

As noted earlier, display your Privacy Policy link in your website's footer. You should also display it as a link and request consent to it in places where you actively collect personal information. For example, if you allow users to sign up for accounts, this would be a great time to display and get consent to your policy, as seen here:

If you have an eccomerce component to your site, you can have users show consent to your Privacy Policy as part of the checkout process, as seen here:

Note that the above image shows how the same concept of display and consent applies to mobile apps as well.

Another place to display your Privacy Policy and obtain consent is when users sign up for communications, promotions or other materials from you and share an email address or other personal information. Here's an example of this in action:

Summary of a VCDPA Privacy Policy

The VCDPA sets out some of the most comprehensive requirements for companies that do business in the Commonwealth of Virginia. Similar in many ways to California's CCPA, the VCDPA lays out rules for the privacy and protection of the personal information of Virginia residents.

One of the major requirements of the law is a Privacy Policy. Your Privacy Policy should be clear and written in language free of legal or technical jargon. Links to your Privacy Policy should be included in prominent locations on your website, such as your footer, check-out form, opt-in form, or on your app's platform.

At a minimum, your VCDPA-compliant Privacy Policy should have clauses that explain the following:

• How you collect personal information and what type
• Why you collect the data
• How you use and process personal information
• What kinds of information you share with third parties
• What types of third parties you share data with
• How consumers can exercise their rights
• How to contact you

Keep your Privacy Policy as up-to-date as possible. Clearly, showing the date your Privacy Policy was last updated is considered a best practice.

Display a link to your Privacy Policy in your website's footer, as well as in locations where you collect personal data such as on an account registration form, email newsletter sign-up form and so forth. Obtain consent for your privacy practices by using a checkbox or button labeled with an "I Agree" statement or something similar.

Download Sample VCDPA Privacy Policy Template

Our Sample VCDPA Privacy Policy Template will be made available soon.

Generate a Privacy Policy in just a few minutes

More Privacy Policy Templates

More specific Privacy Templates are available on our blog.