This year, the Virginia General Assembly passed the Consumer Data Protection Act, becoming the second state in the nation to enact a privacy law directed at protecting consumers’ data rights. Although the act will not take effect until January 1, 2023, there is a lot of information contained in the bill that can be overwhelming at first glance. That is why we have developed a brief overview of the new Consumer Data Protection Act and how it applies to you.
Certain Businesses Are Affected
This act applies to any organization doing business in Virginia that controls or possesses personal data of at least 100,000 Virginia residents. Additionally, this act affects any organization that controls or possesses personal data of at least 25,000 Virginia residents and receives at least 50% of its gross revenue from selling the personal data.
However, several organizations are exempt from the act: state and local government bodies, higher learning and financial institutions, certain nonprofit organizations, and institutions covered by HIPPA and the Health Information Technology for Economic and Clinical Health Act.
Consumers Can Access Their Personal Data
Consumers can find out what personal data the organization processes. Personal data is defined as any information linked or linkable to a person except data that is hard to personally identify or publicly available information.
Once the consumer finds out what personal data the business or their affiliates possess, consumers are allowed to:
- Access the data from the company in a reasonable manner
- Correct any inaccuracies
- Request to delete personal data
- Opt-out of processing personal data for sale, targeted advertising, or profiling.
Businesses Must Protect Personal Data
Businesses must comply with the customer’s request within a certain amount of time. In addition, they must:
- Limit the collection of personal data
- Establish and maintain reasonable data security practices
- Refrain from discrimination
- Prevent sensitive data processing without the consumer’s consent
- Review and assess their current data processing practices and adjust accordingly
- Provide clear instructions to consumers regarding the business’ data practices and ways consumers can exercise their rights according to this act.
The act outlines additional provisions for businesses such as exemptions to these requirements, when a business can extend the timeline, and the data processor’s responsibilities on behalf of the company.
There are Legal Consequences to Non-Compliance
If a business declines to act on the consumer’s request, the consumer has a right to appeal. If the appeal is denied, the consumer can contact the Attorney General’s office to investigate the consumer’s claim. The consumer cannot seek personal remedies under the current version of the act.
If the Attorney General finds just cause that the company violated the provisions in the act, the company must pay a fine of up to $7,500 for each violation. The money will go directly to the Consumer Privacy Fund.
There Is More to Come
Although the legislature passed this version of the bill, the Consumer Data Protection Act will likely change prior to January 2023. The act directs the Chairman of the Joint Commission on Technology and Science to create a working group of affected parties to review the act and provide recommendations by November 1, 2021. Furthermore, with changes in the Administration and potential changes to the House of Delegates, we will likely see additional changes during the 2022 General Assembly Session.
We’re Here to Help
If you want more information about the bill’s contents or how it may apply to you, please feel free to contact us at Gentry Locke Consulting.