What is VCDPA?
VCDPA is a US state law that was passed in Virginia to protect the privacy rights of consumers residing in Virginia. It applies to businesses that conduct business in Virginia or produce products/services targeted to VA residents, and that collect or process the personal data of
- over 100,000 consumers or
- over 25,000 consumers if over 50% of revenue is from selling personal data.
VCDPA is enforced by the Virginia Attorney General.
Here are the key aspects of the Act:
- VCDPA defines personal data as any information that identifies a specific individual, including names, email, photos, contact information. Sensitive personal data includes things like racial/ethnic origin, health info, sexual orientation, etc.
- Key principles under VCDPA include purpose limitation, data security, non-discrimination against consumers exercising their rights, requiring consent for certain types of data, providing a privacy notice, and conducting impact assessments for high-risk data processing.
- Rights granted to consumers include rights to access, correct, delete their data, opt-out of data sales/targeted advertising, and data portability. Businesses have 45 days to respond to consumer requests.
- Penalties for violations include the Attorney General being able to sue for up to $7,500 per violation if problems are not fixed after receiving notice.
Check out how you can comply with VCDPA.