Virginia Virginia Governor Northam signed into law the Virginia Consumer Data Protection Act (VCDPA) on March 1, 2021. It became effective January 1, 2023. Not many were paying attention as the VCDPA flew through the Virginia Legislature, passing by overwhelming margin in fewer than two months. What are the implications of the VCDPA and how is it different than the CCPA or CPRA? The Virginia law differs from the California approach and adds a few operational challenges for businesses, including: •A broader affirmative consent or opt-in requirement to process sensitive personal data. • A broader opt-out right of processing personal data that covers not only sales of personal data, but also targeted advertising and profiling decisions that produce legal or similarly significant effects. • Similar to the GDPR, mandatory data protection assessments are required for sales, targeted advertising, and profiling, including profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment. •The roles of controllers and processors are defined with specific processor role-based requirements and obligations to provide assistance to and adhere to the controller’s instructions and to demonstrate compliance with processor obligations. There is some good news for businesses: • Employee data and B2B data is not covered under VCDPA. Personal data under the VCDPA excludes employee, business-to-business data, de-identified data, and publicly available information. • “Sale” of data under the VCDPA is narrower than the CCPA and is limited to the exchange of personal data for monetary consideration by a controller to a third party.
118
Made with FlippingBook - Online Brochure Maker