The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021, and Virginia became the second state in the United States to enact a comprehensive data privacy law after California.
The VCDPA went into effect on January 1, 2023, and affects organizations that do business in Virginia or provide products/services to people in Virginia. In other words, your organization does not need to be located in Virginia to be affected by the VCDPA.
🚀 Learn more about the VCDPA in this article, including whether or not you’ll be affected and how to become compliant.
Short on time? Jump to what you need to do to prepare for the VCDPA →
The VCDPA grants users the right to access their data and requests that organizations remove their personal data. It also compels businesses to complete data security assessments when processing personal data for, among others, targeted advertising and sales.
Under the VCDPA, personal data means any information that is linked or reasonably linkable to an identified or identifiable person.
Therefore it’s important to note that IP addresses can be considered personal data as long as they are “linked or reasonably linkable to an identified or identifiable natural person”.
To fall under the scope of the Act, organizations doing business in Virginia must meet one of two levels, and both thresholds address a minimum number of affected users.
will be affected by the VCDP. Keep reading to find out how your business can become compliant. 👇
Your organization must provide users with a reasonably accessible, clear, and meaningful privacy notice. Here is the full checklist of information that you must include in your privacy policy.
Include the categories of personal data processed by your organization.
Include your organization’s purpose for processing personal data.
Inform your users of how they may exercise their rights (see below), including how they can appeal a decision on their requests. You must provide one or more methods for users to submit a request.
Include the categories of personal data that your organization shares with third parties if any.
Include the categories of third parties, if any, with whom your organization shares personal data.
iubenda’s Privacy and Cookie Policy Generator allows you to add all United States disclosures in one simple click!
Simply click “Enable disclosures for Users residing in the United States” to activate the new US-specific clauses.
Keep reading to learn more about the upcoming changes in Virginia, or find out how iubenda can help you comply →
Residents of Virginia have the following rights under Virginia’s VCDPA:
Please be informed that under the VCDPA, there are no indications that opt out links enabling users to opt out of the processing of personal data for certain purposes are required.
The provisions of the VCDPA, in fact, treat users’ opt out rights in the same manner as any other users’ rights granted under the Act. See how to respond to users’ requests below 👇
Your business needs to comply with users’ requests as follows:
As the VCDPA does not establish a dedicated privacy Agency, the Attorney General has exclusive authority to enforce its provisions.
Prior to initiating any action, the Attorney General will provide a 30 days written notice identifying the specific provisions that have been or are being violated:
👉 If within the 30-day period, you cure the noticed violation and provide the Attorney General with a written statement that the alleged violations have been cured and that no further violations shall occur, no action will be initiated against your business.
👉 If your business continues to violate the provisions of the Act following the cure period or a written statement made to the Attorney General, the Attorney General may initiate an action and seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation.
The United States gains another data privacy regulation through Virginia’s Data Protection Act (VCDPA).
If your organization is already in compliance with the GDPR and California’s CCPA/CPRA, the chances are you won’t have to do much to bring your website into compliance with Virginia’s VCDPA. However, it’s important you consider the changing landscape of privacy laws across the US and think about ways in which you can meet even the strictest of privacy standards.
iubenda has created the tools to help you simultaneously comply with the various legislations across the United States!
📌 Privacy and Cookie Policy generator →
Our Privacy and Cookie Policy generator provides the option to add “service” clauses to comply with each US legislation.
To enable the new US-specific clauses, simply click “Enable disclosures for Users Residing in the United States” from within the Privacy and Cookie Policy Generator. This will allow you to meet the strictest of US standards
📌 Privacy Controls and Cookie Solution →
Additionally, our Privacy Controls and Cookie Solution allows you to meet the remaining requirements for your Privacy Notice.
Within the configurator, simply:
If your organization falls under the scope of the VCDPA, you should have begun looking into compliance solutions that are well-trusted and drafted by lawyers.
So, if you haven’t got one already, get started today.
Comply Now