With the way business and technology are evolving, the amount of data being shared, collected, and processed online continues to rise. With that in mind, threats against data breaches and data privacy increase as well. In order to protect and empower consumers, a law on data privacy and security is highly necessary.
Not only are consumers becoming more aware of the amount and type of personal information they allow businesses to process, but they are also starting to express their right to ask which information is being stored. And by the year 2023, Virginia consumers can start legally protecting their personal information, under the state’s new privacy law, Virginia Consumer Data Protection Act (VCDPA). Modeled after the European Union’s General Data Protection Regulation (GDPR) and California’s early framework, this new law aims to regulate the relationship between consumers and businesses.
As business owners, read below to find more information about VCDPA and how it can impact not just your business, but your consumers as well.
1. What Is Covered By The Law
According to the statute, the VCDPA covers all groups and entities conducting business in the state of Virginia, or those who offer services or products intended for residents of the state. These businesses are obliged by the law to give consumers access to their personal data, which they have processed and stored.
Under the VCDPA, Virginia consumers are given the right not only to demand a copy of their data but to also correct any information which they deem inaccurate or delete certain data that they wish not to be stored. They also have the right to opt-out of being made part of any profiling or targeted advertising being done by businesses. Consumers can prevent the business from selling their personal data too. Once a consumer submits their request to either see or review their personal information being stored, businesses have to respond to them within 45 days.
The new privacy law also aims to protect a ‘sensitive’ category of personal information. This includes personal data that pertains to a consumer’s race or ethnic profile, religious beliefs, sexual orientation, mental or physical health diagnosis, and citizenship or immigration status. ‘Sensitive data’ also covers genetic or biometric data, precise geolocation data, even information collected from a minor child.
Under the VCDPA, businesses are required to get ‘consent’ from consumers first, prior to collecting and processing any information.
2. What The Law Doesn’t Cover
The VCDPA has a number of limitations.
It does not cover the personal data of Virginians which they gave or were taken from them in an ‘individual context’. In other words, Virginians can only invoke the statute when it’s about their personal data as consumers or as family members. The statute doesn’t cover personal information which they may have submitted or were taken from them while they were doing their jobs, while they’re in their workplace, or while going about their business as professionals or entrepreneurs.
The VCDPA is also limited by what it would consider as subjects falling within the meaning of the term ‘personal data’. In California’s privacy law, personal data of consumers which can be found in government records are exempted. The Virginia law expounds this limitation even further.
Virginia consumers can’t also invoke the VCDPA if it concerns exempt data. According to the statute, exempt data are information that is believed to be made publicly available by the consumer through distributed media. The most common example of this is information that a consumer might have posted on their social medial accounts.
The VCDPA isn’t also applicable to information that is already protected by other laws, such as Health Insurance Portability and Accountability (HIPAA), and those covered by privacy statutes on research and education.
3. How Can The Law Affect Businesses
Under the VCDPA, businesses are required to perform certain obligations. They will be required to only collect and process information that is considered adequate, relevant, and necessary. The purpose is to limit the amount of information being collected from consumers. In line with that, businesses are also required to obtain consent from consumers, especially when dealing with sensitive information.
Aside from all of that, businesses are also required, under this statute, to ensure that the information they have collected is protected and secured. They have to establish and implement security protocols that can guarantee the confidentiality and privacy of their consumer’s data.
The enactment of the VCDPA shows the ongoing dynamic between consumer groups, and online businesses and platforms. With the help of this new law, consumers are empowered to exercise their right to share, update, even delete certain information that businesses collect from them. Business owners, on the other hand, can secure their consumer’s trust, by showing transparency and protecting the data they get to collect.
Considering that the enforcement of VCDPA will begin in 2023, business owners can take this time and opportunity to prepare necessary actions, in order to comply and meet the new law’s requirements.