Virginia Data Privacy Law Goes into Effect
Data privacy is quickly becoming a hot topic in the business world. Website and app users want to know what they share and what happens with that data.
In March 2021, Virginia became the latest U.S. state to pass a data privacy law. This law, the Virginia Consumer Data Protection Act (VCDPA), went into effect on January 1, 2023, and has several requirements for businesses with website and/or app users in Virginia.
What is the Virginia Consumer Data Protection Act (VCDPA)
Virginia Consumer Data Protection Act (VCDPA) is an online data privacy law that gives online users more control over the personal information gathered about them. With the Virginia Consumer Data Protection Act (VCDPA) now in effect, businesses must give website and/or app users the ability to access their personal data. In addition, companies must provide users the right to request the deletion or modification of their data and ensure that any de-identified or modified information cannot be traced back to a specific source.
Who Is Affected
The following businesses must comply with VCPDA: Businesses that conduct business in Virginia or Businesses that target, collect, use, or disclose Virginia user data. (Virginia businesses include any business entities that conduct activities in Virginia and have a presence in Virginia. This includes Virginia corporations, limited liability companies, partnerships, associations, other legal entities, and foreign companies doing business in Virginia.) That also meets at least one of the following requirements:
Businesses that control or process personal data for at least 100,000 Virginia users in a year.
Businesses that derive over 50 percent of their revenue from the sale of personal data from no fewer than 25,000 people.
Public sector organizations in Virginia, non-profit organizations, and higher education institutions are exempt from complying with VCDPA.
What Can Happen If a Company Doesn't Comply
Failing to comply with Virginia's data privacy law can result in fines. The act grants the state attorney general the authority to bring civil actions against businesses that fail to comply with Virginia's data privacy laws, potentially resulting in fines of up to $7,500 per violation.
That said, businesses benefit from a 30-day period within which they can remedy any violations of the Virginia Consumer Data Protection Act. During this period, they can communicate with the attorney general's office and resolve any potential violations before receiving fines.
Take Steps to Comply With the VCDPA
Virginia is the latest state to add data privacy laws to its books. Contact us to fully understand the data privacy compliance needed for your business's website or app.