The Weekly Breach Breakdown: Virginia Consumer Data Protection Act (VCDPA) to be the Second Strongest Privacy Law in the U.S.

• The Virginia Consumer Data Protection Act (VCDPA) will be the second strongest privacy law in the U.S., modeled after California privacy laws. It is scheduled to take effect on January 1, 2023.
• The VCDPA is not limited to people who live in Virginia. It applies to any businesses that collect the data of at least 100,000 Virginia residents during a calendar year, or at least 25,000 Virginia residents, and derives more than 50 percent of its gross revenue from the sale of personal information.
• Under the VCDPA, consumers will have the right to access personal data that businesses collect about them, correct inaccuracies in the data, request personal data be deleted in certain exceptions, and opt-in to the use of personal data and opt-out of the sale of personal data in certain circumstances.
• For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified.
• For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for February 26, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. Last week we talked about significant privacy changes being driven by a private company – specifically, Apple through an update in the operating system for iPhones. This week we focus on state laws that are fundamentally changing the legal and regulatory landscape across the country.

Some people of a certain age probably remember the School House Rock cartoons that, among other things, taught us about the functions of conjunctions. However, more memorably, about how laws are made. The short cartoon from 1975 gives us the title of today’s episode – “I’m just a bill…sitting here on Capitol Hill.”

New Virginia Privacy Law: “Virginia Consumer Data Protection Act (VCDPA)”

By the time people listen to the podcast or read the transcript, Governor Ralph Northam of Virginia is likely to have already signed the second strongest privacy law in the country, the Virginia Consumer Data Protection Act or VCDPA. Modeled after groundbreaking California privacy laws, the Virginia Consumer Data Protection Act adds new rights for Virginia residents and obligations for businesses that collect information about people who live in the Old Dominion.

However, VCDPA is not limited to businesses based in Virginia. Like the California Consumer Privacy Act (CCPA) and the European Union’s privacy law (GDPR) before that, the VCDPA applies to any business anywhere in the world if it:

1. Collects the personal data of at least 100,000 Virginia residents during a calendar year; or
2. Collects the personal data of at least 25,000 Virginia residents and derives more than 50 percent of its gross revenue from the sale of personal information.

Non-profits, government agencies, and colleges and universities are exempt, along with a few institutions regulated by certain federal privacy laws.

Under the Virginia Consumer Data Protection Act, consumers will have the right to:

• Access personal data that a business collects and uses about them;
• Correct inaccuracies in that data;
• Request that personal data be deleted subject to certain exceptions;
• Opt-in to the use of sensitive data in certain circumstances, with sensitive information being personal attributes like race or sexual orientation, biometric information, children’s information, and location data.
• Opt-out of the sale of personal information and certain automated processes based on personal data. The VCDPA also requires businesses to let individuals opt-out of the sale of personal data to third parties as well as “targeted advertising.”

When the Virginia Consumer Data Protection Act Takes Effect

Businesses will have until January 1, 2023 – when the VCDPA goes into effect – to get ready to comply with the law, the same day California’s updated privacy law, the California Privacy Rights Act (CPRA), becomes effective. Unlike the California law, the enforcement of the Virginia law will be the exclusive jurisdiction of the state attorney general – no individual consumer lawsuits are allowed for now.

Other Privacy Laws in the Works

The January 1, 2023 date could be crowded with new state privacy laws. There are currently ten other states considering similar privacy and cybersecurity laws and two that have established study commissions that will be required to report back to their state lawmakers by 2022.

The Possibility of a Federal Privacy Law

What about a federal privacy law passed by Congress that applies uniformly across the country? Even with a new Congress, many of the same roadblocks remain from past Congresses. One side wants state laws to be overruled, and the other side wants a federal law to be a floor, not a ceiling for the states. There is also the unanswered question about the ability of individuals to file lawsuits over violations of privacy.

Contact the ITRC

If anyone has questions about how to keep their personal information private and how to protect it, they can visit www.idtheftcenter.org, where they will find helpful tips on these and many other topics.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. People can speak with an expert advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Visit www.idtheftcenter.org to get started.

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.