IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
Virginia has become the next US state to pass a comprehensive consumer data protection law which can be considered to be at par with other major state data privacy laws i.e. the California Consumer Protection Act (CCPA) -or the recently passed Consumer Privacy Rights Act (CPRA)- and Washington Privacy Act (WPA). This new law shall provide comprehensive privacy rights to state residents of Virginia and impose a new set of obligations and duties on businesses managing consumer personal data.
All consumers may invoke the following rights by sending a verified request to the data controller (in case of a child, the parent/guardian may send the request on behalf of the child):
The consumer has a right to access the personal data collected and processed about him/her by the data controller.
The consumer has a right to have inaccurate personal data being stored or processed by the data controller be corrected.
The consumer has the right to have his/her personal data stored or processed by the data controller be deleted.
The consumer has a right to obtain a copy of his/her personal data, in a portable, technically feasible and readily usable format that allows the consumer, where the processing is carried out by automated means, to transmit the data to another controller without hindrance.
The consumer has the right to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice containing specific information including categories of data it shares or sells (including for targeted advertising) and means for consumers to exercise their rights.
Controllers must undertake Data Protection Assessments (DPAs) before conducting certain types of risky processing, protect deidentified data from reidentification and comply with data subject requests made by consumers as well as ensure data processors it contracts with comply with the duties prescribed under this law.
Controllers shall not collect unnecessary personal data of consumers or process the personal data for purposes beyond what was disclosed to consumers without gaining their consent.
Controllers may not process the personal data to discriminate against the consumer in any way - including discrimination for exercising their data privacy rights.
Controllers cannot process sensitive personal data (including data of minors) unless it has the express consent of the consumer (or parents/guardians of a minor child).
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.
The VCDPA does not apply to:
The Virginia Attorney General may issue a civil investigative demand to any controller or processor believed to be engaged in, or about to engage in, any violation.
The state AG also retains exclusive authority to enforce the VCDPA by bringing an action in the name of the Commonwealth, or on behalf of persons residing in the Commonwealth as well as reasonable expenses incurred in investigating and preparing the case, including attorney fees against violators.
Thus covered businesses must comply with the law or face civil penalties for non-compliance up to $7500 for each violation as well as an injunction to stop the violation from further continuing.
The provisions of this act shall become effective on January 1, 2023.
The VCDPA is structurally very similar to the CPRA (which has amended the CCPA) but it has some significant differences.
The Data Protection Assessments under the VCDPA shall identify and weigh the benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing activities after accounting for mitigating factors.
The requirement to conduct Data Protection Assessments under the VCDPA shall apply to processing activities created or generated after January 1, 2023, and is not retroactive.
VCDPA defines a minor below 13 years of age for the additional protections it provides.
There is no 12 months time limit as found in the CPRA or CCPA after which the business can re-ask for the consent of the consumer who chooses to exercise the right to opt-out.
The VCDPA requires that opt-in consent be collected for processing of children’s Personal Data, use of Sensitive Personal Data and use of Personal Data beyond the initial purpose for which it was collected for.
The Virginia Consumer Data Protection Act (VCDPA) is a privacy law in the state of Virginia, USA. It establishes regulations for how businesses handle and protect consumers' personal data, granting consumers certain rights over their data.
Yes, Virginia has the Virginia Consumer Protection Act (VCPA), which aims to protect consumers from deceptive or unfair trade practices.
While both CCPA (California Consumer Privacy Act) and VCDPA are consumer privacy laws, they have differences in terms of scope, requirements, and applicability. They both grant consumers rights over their data, but they apply to different jurisdictions (California and Virginia, respectively).
Yes, the Virginia Consumer Data Protection Act became effective on January 1, 2023.
The Virginia Consumer Data Protection Act protects consumers by prohibiting deceptive and unfair trade practices, giving consumers the right to sue for damages, and providing a mechanism for enforcement against businesses engaging in such practices.
Anas Baig is a Product Marketing Manager with a proven track record in the cybersecurity industry. He has been a prominent contributor to numerous esteemed publications, including Infosecurity Magazine, CSO Online, Tripwire, Security Affairs, Network Computing, Security Boulevard, and several other renowned cybersecurity blogs.His in-depth knowledge and extensive experience in the industry make him a trusted source for cutting-edge insights and information in the ever-evolving world of cybersecurity.
Get all the latest information, law updates and more delivered to your inbox
September 21, 2023
Introduction The emergence of Generative AI has ushered in a new era of innovation in the ever-evolving technological landscape that pushes the boundaries of...
September 13, 2023
Kuwait didn’t have any data protection law until the Communication and Information Technology Regulatory Authority (CITRA) introduced the Data Privacy Protection Regulation (DPPR). The...
September 12, 2023
Following the end of the Brexit Implementation Period on 31 December 2020, the United Kingdom is no longer subject to the European Union General...
The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.
Get the Book“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”
- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128