Virginia Joins California with its own Consumer Data Protection Act
California followed Europe’s General Data Protection Regulation (GDPR) by instituting its own data privacy legislation back in 2018. This week, Virginia became the second state in the U.S. to adopt sweeping data privacy legislation.
As expected, the Virginia Consumer Data Protection Act closely resembles the California Consumer Privacy Act (CCPA) as well as the E.U. GDPR. One of the main differences, however, is that the Virginia CDPA includes assessments and rights related to target advertising.
Going into effect Jan. 1, 2023, the Virginia CDPA applies to businesses who conduct business in Virginia or produce products or services that are targeted to Virginia residents.
Other criteria include:
- During a calendar year, any company that controls or processes personal data of at least 100,000 consumers
- Processes or controls personal data of at least 25,000 consumers and derives over 50 percent of its gross revenue from the sale of personal data
Another difference between the Virginia CDPA and CCPA is the definition of “consumer.” Virginia’s is narrower – the state defines a consumer as a natural person who is a Virginia resident and is only acting in an individual or household context in providing personal data. The definition of consumer does not include any natural person providing personal data in a commercial or employment context.
The act also defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable natural person.
Compliance will vary by the role your business places, specifically whether a business is playing the role of a controller or a processor under the Virginia CDPA. A controller, in this instance, is the business that determines the purpose and means of processing personal data. Controllers must post a privacy policy reasonably accessible to consumers that details the categories of personal data processed, purposes for processing that data, how consumers can exercise their rights, the categories personal data shared with third parties and the categories of third parties with whom the controller shares that data.
A processor is the business that processes personal data on behalf of the controller. The Virginia CDPA prohibits controllers from processing personal data for purposes other than those listed in the Virginia CDPA. Some of the permitted purposes include providing a requested product or service, conducting internal research, and repairing errors.
Just as you might expect, this is another stringent, overwhelming regulation your business may struggle to comply with on your own. Don’t risk noncompliance! Contact 2W Tech today. You may have a couple years to adjust to the demands of Virginia CDPA, but 2W Tech’s Cybersecurity Compliance Program will help you reach and maintain all your current and future compliance obligations. Contact us today to learn more.
Read More:
Epicor ERP 11.1.100 Coming Your Way in April
Can Your Business Benefit From Smart Manufacturing?