The consumer rights outlined in the Virginia Consumer Data Protection Act (VCDPA) are built on the FTC's Fair Information Practice Principles (FIPPs). The FIPPs provide a framework that allows consumers more control over the way their data is used and collected.
In this article, we'll discuss the seven primary consumer rights protected by the VCDPA and what you should do to ensure your business is compliant when the law goes into effect.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. Consumer Rights Under the Virginia Consumer Data Protection Act (VCDPA)
- 1.1. The Right to Access
- 1.2. The Right to Know
- 1.3. The Right to Rectification
- 1.4. The Right to Delete
- 1.5. Right to Object to Data Processing
- 1.6. Right to Data Portability
- 1.7. Right to Appeal
- 2. Which Businesses Must Facilitate Consumer Rights Under the VCDPA?
- 3. How to Facilitate Consumer Rights Under the VCDPA
- 3.1. Limit your collection and use of data
- 3.2. Provide reasonable security
- 3.3. Obtain consent for the processing of personal information
- 3.4. Provide a privacy notice
- 3.5. Be transparent about the sale of data to third parties
- 3.6. Provide a way for consumers to submit requests
- 3.7. Conduct a data protection assessment
- 4. Summary
Consumer Rights Under the Virginia Consumer Data Protection Act (VCDPA)
One of the first things to take note of, is the fact that the VCDPA is the east coast's first data protection law of its kind.
Additionally, the Virginia VCDPA drafters appear to have significantly benefited from observing the pitfalls and difficulties that emerged during the development and implementation of Europe's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA).
By incorporating narrower definitions, the Virginia bill avoids many of these. It excludes data categories and businesses that were (and continue to be) confusing under the European and Californian regulations.
With that said, the VCDPA's provisions, which protect consumer rights, are pretty similar to the CCPA's. Therefore, organizations that have already met the VCDPA Compliance requirements should easily meet the VCDPA's demands as well.
That being the case, let's go ahead and outline the consumer rights, which you must protect to be compliant.
The Right to Access
The consumer has the right to request a copy of personal information from the data controller (any entity that acquires and possesses the personal data of a consumer for its own use) and access it.
To be specific, Virginia residents have the right to:
- Confirm that a controller is processing their personal data, and
- Access that data
This is similar to the VCDPA requirement that businesses disclose the "specific pieces of personal information collected." However, there is no period of time, which limits the data that must be disclosed, unlike the VCDPA.
The Right to Know
The consumer has the right to find out whether a business processes their data. They can request information about the processing of their data and the processors involved. This is covered in the right to access.
The Right to Rectification
The consumer has the right to correct any inaccuracies in their personal data.
This can be done regardless of the nature and purpose of the consumer's personal information.
The Right to Delete
The consumer has the right to ask for the deletion of personal data provided to the business.
In fact, Virginia residents have a greater right to delete their personal data under the CDPA than do residents of other areas under similar laws.
For instance, the VCDPA requires that a controller erase any personal data obtained about or provided by the consumer upon receiving an authenticated request. This is in addition to data "from the consumer," as is the case with the VCDPA.
Although there is no requirement for a business to instruct third parties with which the consumer's personal information was shared or sold to delete it, the VCDPA demands that processors assist companies in satisfying their obligation to respond to consumer rights requests. This includes deletion requests.
However, deletion of data must be done "taking into account the nature of the processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable."
A drawback here is that the VCDPA doesn't define what "reasonably practicable" means.
Right to Object to Data Processing
Consumers have the right to opt out of the processing of their personal data for marketing or sales purposes without exception. Businesses that are subject to a request must comply without regard to the difficulty of compliance.
Specifically, Virginia's VCDPA gives consumers the right to opt-out of processing personal data for:
- Targeted advertising
- The sale of their personal information, or
- Profiling in furtherance of decisions, which produce legal or similarly significant effects concerning the consumer
Notably, a "sale" of personal data is much more narrowly defined in Virginia than under the VCDPA. However, Virginia's definition of "sale" was limited to "the exchange of personal data for monetary consideration by the controller to a third party."
It did not include the controversial "other valuable considerations" language included in the CCPA.
Right to Data Portability
Consumers have the right to access their personal data in a portable and, as far as technically possible, easily usable format.
This allows them to send the data to another controller without trouble, "where the processing is carried out by automated means."
It is not clear what the meaning of "where the processing is carried out by automated means" happens to be.
However, the VCDPA defines processing as:
"any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage disclosure, analysis, deletion or modification of personal data."
That being said, if the courts stick to the plain meaning of the word "automated," it's possible that the actual right of portability may be exclusively limited to information, which is processed without the intervention of human beings.
Right to Appeal
If a business refuses to act within a reasonable period, consumers have the right to appeal under the VCDPA. Companies must respond within 45 days after receiving a request from a consumer. The business can extend the response time by 45 days if they feel it is necessary. However, the company must notify the consumer within the initial response window.
If a business still fails to respond to the consumer's request, the VCDPA dictates that "a controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable time after the consumer's receipt of the decision."
If the consumer's appeal is denied, the controller must provide the consumer with information on presenting the attorney general with a complaint.
Which Businesses Must Facilitate Consumer Rights Under the VCDPA?
If both the following criteria are met, businesses are subject to the VCDPA:
- They either produce products or services targeted to Virginia residents, or they conduct business within the state, and
- They process or control the personal information of at least 100,000 consumers, or
- They process or control the personal information of at least 25,000 consumers, and the sale of personal data makes up more than 50 percent of their gross revenue
The VCDPA doesn't have a revenue threshold so companies, which don't have a significant amount of consumer information, won't be subject to the law.
How to Facilitate Consumer Rights Under the VCDPA
To facilitate consumer rights under the VCDPA, you must do the following.
Limit your collection and use of data
The VCDPA demands that companies limit personal data collection to only what is necessary, adequate, relevant, and reasonable for the purpose for which it is being processed.
Organizations cannot process personal data for purposes not reasonably necessary or that are not consistent with the disclosed purpose of data processing unless the company obtains the consent of the consumer.
Provide reasonable security
You must establish, apply, and maintain "reasonable" technical, administrative, and physical data security measures to protect personal information accessibility, confidentiality, and integrity. These security measures must also be appropriate to the nature and volume of the personal data in question.
Obtain consent for the processing of personal information
You need to obtain consent from consumers before you can process any sensitive data.
The VCDPA defines consent in a manner similar to the GDPR and states that it is an affirmative action taken by the consumer, which is informed, unambiguous, specific, and freely given.
Further, that consent is provided as an agreement to process personal information and may include a written statement, digital or otherwise, which gives the company clear consent.
Here's an example of how you can get consent:
Provide a privacy notice
Consumers should have an easily accessible, transparent, and meaningful privacy notice, such as a Privacy Policy.
This notice must include categories of personal information processed by the company. It must also include the purpose for which your company collects and processes personal data, and how consumers can exercise rights over their information, including appeals to company decisions regarding a request for personal data.
It should also detail categories of personal information that the company shares with third parties, if applicable; and the categories and third parties with which the company has shared personal data.
Here's an example of a Privacy Policy table of contents so you can see the information that it should include:
Be transparent about the sale of data to third parties
Companies that sell or process personal information for targeted advertising or other purposes must prominently and clearly disclose the fact in their privacy notice. They also need to provide an option where a consumer can exercise their right to opt out.
Here's an example:
Provide a way for consumers to submit requests
Ensure that consumers have the means to exercise their rights by giving them a secure way to make requests.
The VCDPA is not prescriptive as to how consumers should submit such requests. However, it does specify that such means must take into account how consumers interact with the company, the need to reliably and securely communicate those requests, and the company's ability to authenticate the consumer's identity.
Conduct a data protection assessment
Data protection assessments must be conducted by organizations for certain processing activities. This includes selling personal information, profiling or targeted advertising, processing sensitive data, and any other processing activities that could pose a greater risk to consumers.
Data protection assessments should assess the potential benefits for the business and the risks to consumers that are associated with processing consumer data. Companies should balance these competing concerns by determining whether certain safeguards (e.g., using de-identified information) would reduce risks to consumers as well as consumers' reasonable expectations regarding the business relationship with the consumer.
Summary
The Virginia Consumer Data Protection Act is a new law which will provide consumers with privacy and data protections.
These rights are:
- The Right to Access
- The Right to Know
- The Right to Rectification
- The Right to Delete
- The Right to Object to Data Processing
- The Right to Data Portability
- The Right to Appeal
In order to provide safeguards for these consumer rights, the VCDPA imposes obligations on businesses in how they process and disclose personal data about individuals.
While data privacy laws are still being considered in other US states, Virginia is now second to California in the state's efforts to pass comprehensive privacy legislation.
If you do business in Virginia and you haven't already, you should work to become VCDPA compliant.
This means:
- Limiting the data you obtain to only relevant and necessary information
- Provide a privacy notice, which discloses information about the types and categories of data you collect, your reasons for collecting the data, and how consumers can exercise their rights
- Also include information in your privacy notice, which lets consumers know that they have the right to opt-out of your data collection efforts and the right to correct, delete, or access data you've collected
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.