Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive data protection law in the United States that was signed into law on March 2, 2021. It is the second data privacy law to be passed in the United States, after the California Consumer Privacy Act (CCPA), and it will come into effect on January 1, 2023.

The VCDPA applies to any company that collects and processes the personal data of Virginia residents and either (a) controls or processes personal data of at least 100,000 consumers annually or (b) derives over 50% of gross revenue from the sale of personal data and processes the personal data of at least 25,000 consumers annually.

Under the VCDPA, Virginia residents have the right to access, correct, delete, and obtain a copy of their personal data. Companies must obtain explicit consent from individuals before collecting, processing, or sharing their personal data, and must inform individuals of their rights under the VCDPA. Companies must also implement reasonable data security practices and conduct data protection assessments for certain data processing activities.

Non-compliance with the VCDPA can result in fines of up to $7,500 per violation, as well as injunctions and other legal remedies. Companies that operate in Virginia or process personal data of Virginia residents should take steps to comply with the VCDPA to avoid potential penalties and reputational damage.

Timeline of the LGPD

Here is a timeline of the Virginia Consumer Data Protection Act (VCDPA):

• March 2, 2021: The Virginia Consumer Data Protection Act is signed into law.
• January 1, 2023: The VCDPA is set to take effect, giving companies time to prepare for compliance.

The Virginia Attorney General is authorized to enforce the VCDPA and may bring civil actions for violations of the law. The VCDPA provides for penalties of up to $7,500 per violation, as well as injunctive relief and other legal remedies. Companies that process the personal data of Virginia residents should take steps to comply with the VCDPA to avoid potential penalties and reputational harm.

Guide to LGPD Compliance

Here are some steps that companies can take to ensure VCDPA compliance:

1. Conduct a data inventory: Identify the categories of personal data collected and processed, and assess the legal basis for processing that data.
2. Develop a privacy policy: Create a clear, concise, and easily accessible privacy policy that explains your data collection practices and how individuals can exercise their rights under the VCDPA.
3. Obtain consent: Obtain explicit consent from individuals before collecting, processing, or sharing their personal data.
4. Implement data security measures: Implement reasonable data security practices to protect personal data from unauthorized access, use, disclosure, and destruction. This includes encryption, access controls, and regular security audits.
5. Designate a Data Protection Officer (DPO): Appoint a DPO to oversee compliance with the VCDPA and serve as a point of contact with regulatory authorities and individuals.
6. Conduct data protection assessments: Conduct data protection assessments for certain data processing activities to identify and mitigate potential risks to individuals' privacy.
7. Respond to data subject requests: Develop processes for individuals to request access to, correction of, deletion of, and the ability to opt-out of the sale of their personal data.
8. Train employees: Train employees on VCDPA requirements and company policies and procedures for handling personal data.

This document was last updated on April 19, 2023