Blog > April 2021 > Virginia Enacts New Data Privacy Law – What Data Leaders Need to Know

Virginia Enacts New Data Privacy Law – What Data Leaders Need to Know

Consumers have become better educated about how businesses are collecting, using and sharing their personal data, and they don’t like what they’re learning! The U.S. has been slow to enact a comprehensive data privacy law like Europe’s GDPR. As a result, state Legislatures are starting to fill the gap to address consumer concerns with their own laws, leaving data and privacy leaders scrambling to comply with a patchwork of disparate state and country laws.

Last month, Virginia became the second state to enact its own comprehensive consumer data privacy law – the Virginia Consumer Data Protection Act, or VCDPA.   It has some similarities to GDPR and other similarities to the California Privacy Law – which itself recently evolved from CCPA to the new CPRA law. Thus, companies that have implemented GDPR or CCPA/CPRA will have a head start in responding to VCDPA, but careful analysis and mapping their data to the law’s requirements will be necessary.

Key provisions of VCPDA

Virginia’s terminology and overall approach resemble GDPR more than CCPA/CPRA.  Like GDPR, VCPDA defines two types of personally identifiable information (PII):

  • Personal Data -  any information that is linked or reasonably linkable to an identified or identifiable natural person  
  • Sensitive Data - a subset of Personal Data that reveals a consumer’s:
    • Racial or ethnic origin, religious beliefs, health information, sexual orientation, or citizenship or immigration status
    • Genetic or biometric data
    • Personal data when consumer is known to be a child
    • Precise geolocation data

This definition excludes the personal data of employees or personal data used in a B2B context, as well as publicly available information and de-identified information.

Like GDPR, VCPDA embraces the concepts of Controller and Processor found in GDPR with an emphasis on the “processing” of personal data of consumers.

  • Controllers -  businesses that collect consumer data 
  • Processors -  third parties that don’t directly collect the consumer’s data but, rather, receive it from Controllers as part of a business arrangement. 

Similar to GDPR, businesses are required to:

  • Disclose to consumers what data they are collecting and how it will be used, like CPRA
  • Collect only the minimum amount of data needed for the stated purpose and to only hold it for as long as needed, similar to GDPR’s “Privacy by Default” principle
  • Enter into agreements with Processors that clearly set forth instructions for processing PII and ensuring its confidentiality, also similar to GDPR

Covered businesses must make the following rights available to Virginia residents upon request:

  • View their personal data
  • Correct errors in their personal data
  • Delete personal data  
  • Opt out of having their personal data collected for advertising, monetizing or profiling purposes
  • Appeal the denial of a business to act on a request within 45 days; upon receipt; a response to any appeal must be provided within 45 days
    • Consumers may directly contact Virginia’s attorney general if their appeal is denied

Who is Covered

VCDPA applies to persons or Businesses, aka Controllers, that do business in Virginia or produce products or services that are targeted to Virginia residents, and either:

  • control or process Personal Data of at least 100,000 consumers or
  • derive over 50% of gross revenue from the sale of personal data and (ii) control or process personal data of at least 25,000 consumers

Exemptions include: Businesses or data covered by the Gramm-Leach Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health (HITECH), Virginia government entities, nonprofits and higher educational institutions.

There are also exceptions for data covered by the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), the Drivers Privacy Protection Act, the Farm Credit Act, the Family Educational Rights and Privacy Act, and personal data processed in employment contexts.

Enforcement

The Virginia Attorney General has exclusive authority to enforce the act. Any controller or processor that violates it could face a penalty of up to $7,500 for each violation, so it lacks the financial impact of privacy laws like GDPR, which may fine a company up to four percent their annual revenue. VCDPA doesn’t contain a private right of action for consumers.

Implementation Challenges

VCDPA is only the beginning of new privacy legislation.  Other states to watch closely for other potential privacy laws this at this year are Colorado, Connecticut, Florida, New York, Minnesota, Oklahoma, Ohio and Washington.  For global companies, the task is even more onerous. Gartner estimates that by 2022, more than half of our planet’s population will have its PII covered by local privacy regulations in line with GDPR.

Data Leaders, CSOs and CISOs are understandably worried about the logistics of complying with differing and evolving privacy standards at ever-more granular levels.  In today’s evolving regulatory landscape, it is essential to establish a comprehensive and agile data privacy program.

To ensure compliance, your company should  begin to implement  a privacy-  / governance- first approach in your data management practices. It can no longer be an afterthought to manage regulations on a one-off basis.  New and evolving regulations are becoming the new norm, enacted not just by laws and regulations but, more importantly, by consumer expectations that companies are ethical stewards of the data that they have been entrusted with.

To build the right foundation, you need to understand what personal information you’re collecting and how it’s being used by the business. Consider an automated solution that can operationalize data privacy across your enterprise, delivering full transparency of your IT data landscape. 

ASG Data Intelligence Automates Data Privacy Compliance

 ASG Data Intelligence (ASG DI) provides a data governance framework for managing, defining and tracking enterprise-wide policies, business rules, and data assets to support data privacy compliance and deliver trusted and well-understood data to fuel your other data strategies, such as analytics and BI reports.

It starts with building a centralized, metadata-based inventory to discover and classify personal and sensitive data across your busines and IT landscape, enabling users to easily search for data without needing to know the technical names of tables, columns or files. VCPDA and other data compliance programs require the ability to quickly locate all PII to respond to data consumer requests or opt outs, conduct risk assessments, or manage audit requests.

The data inventory automates scanning and identification of PII across the data estate by carrying forward the tagging of critical data, data privacy and quality information. That way, organizations know exactly what information they have and where it is in the organization on an ongoing basis.

Organizations can then couple their data inventory with ASG DI’s data lineage capabilities to trace data from its origin to where it delivers value, including transformations along the way. To this “information supply chain,” business semantics, including business glossary definitions, context, business rules, policies, data ownership, and other valuable insights can also be embedded. Traceable data is trusted data, as organizations can fully understand where information comes from, how systems process the data and how it’s used.

Dashboards, templates and reports enable you to quickly conduct impact and risk assessments and to capture and report the progress of your data compliance project.

By implementing data protection at the base of your data management framework, your organization will always be audit-ready. Reducing risk for non-compliance and gaining confidence in the data you have will save you time and money and provide peace of mind for your business.