By Keith Brophy, Senior Director of Hospitality Customer Success at Milestone Inc. LinkedIn
Concern about data collection methods businesses use as customers browse the web and how that information is used by the business has grown in recent years. This has led to an increasing number of data protection laws passed in different countries around the world. Within the United States, individual states can pass law with more requirements and stipulations. California passed the California Consumer Privacy Act, which went into effect on January 1, 2020.
Virginia is the latest state to protect consumers browsing online. We will walk you through what you need to know about these regulations and how you can protect your business and encourage your growth.
What is the Virginia privacy law?
On January 1, 2023, the Virginia Consumer Data Protection Act will go into effect nearly two years after the initial law was passed. This new law will apply to anyone who conducts business in Virginia or otherwise targets Virginia residents as customers. You should note, however, that the law only applies to the personal data of Virginia residents acting as an individual or on behalf of their household. It does not apply to those acting on behalf of a commercial entity. There are certain exceptions regarding what types of businesses do not have to worry about the language of this law, which we will discuss in greater detail below.
The VCDPA specifies that customers have the following rights:
1.To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data;
2. To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
3. To delete personal data provided by or obtained about the consumer;
4. To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
5. To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
You can read the full text of the law right here.
In other words, the Virginia law establishes that consumers have the right to know when their data is processed by companies and the ability to access that data when they wish. When consumers say that they want to access their data, they have the right to receive it in a format that they can easily read. If they notice inaccuracies, those consumers have the right to correct those errors. Although the law allows for certain exceptions, consumers also have the right to delete their personal data.
Are there any exceptions under the Virginia privacy law?
The law does stipulate that some types of companies do not have to worry about these new regulations. Specifically, it does not refer to the following:
- State government entities
- Institutions of higher education
- Financial institutions that are already subject to the Title V of Gramm-Leach-Bliley Act
- Health and related institutions that are subject to the HIPAA and HITECH Act
How does Virginia’s law relate to other privacy laws?
Data privacy laws have begun to pop up in a variety of places in recent years. The European Union passed the General Data Protection Regulation (GDPR) which limited the use of personal data collected. California also passed a similar law that went into effect in 2020, the California Consumer Privacy Act, which similarly sought to provide consumers with greater rights over their data and how businesses can use it.
Businesses targeting people in Virginia should note that this new law does abide by many of the same standards as the CCPA, which means that many of the protections they set up for the West Coast will also work on the other side of the country. However, the biggest difference between the California regulations and the Virginia laws is that Virginia offers customers stronger opt-out rights.
Specifically, customers in Virginia can say that they do not want their personal data used for targeted advertising. Consumers can also decide that businesses have no right to sell their personal data. These customers can also decide that businesses cannot build a personal profile of them from the data they collect.
How will the Virginia privacy law impact businesses?
Businesses that do business in Virginia need to note the key ways that this new regulation might impact businesses. Taking the time to plan right from the start can help you proceed confidently into the New Year, knowing that your data collection systems work effectively and legally.
The biggest areas that businesses need to watch is how and what they collect as customer data. You will need to limit the amount of data that has been collected. The information you do gather needs to be classified as ‘adequate, relevant, and reasonably necessary.” Once this data is collected, you cannot use it for any activities deemed ‘non-necessary’ without gaining consent.
The other big area that businesses need to pay attention to is data protection. Businesses must document how they plan to protect the data they collect from their customers. To ensure that these protections are up to standard, you have to document the data protection you have for the different means of processing customer data. This includes protection for data collected for targeted advertising, the sale of personal data, data used to build consumer profiles, sensitive data (such as the information concerning minors under 13), and data processed for activities that pose a significant threat to customers.
Overall, you will find that this regulation impacts how you process important customer data. You want to make sure that the data collection system, opt-out systems, and data protection strategies are prepared to align with the regulations established for Virginia residents.
What are the rights of Virginia residents under the Virginia CDPA?
Virginia residents have the right to know what personal data is being collected about them, why it is being collected, and how it is being used. They also have the right to request that their personal data be deleted or that its use be restricted. In addition, Virginia residents have the right to object to the processing of their personal data and the right to file a complaint with the Virginia Attorney General if they believe their rights have been violated.
What are the responsibilities of companies under the Virginia CDPA?
Companies that are subject to the Virginia CDPA must provide clear and concise information about their data collection and processing practices in their privacy policies. They must also implement reasonable security measures to protect personal data and promptly notify individuals if there is a breach of their personal data. In addition, companies must obtain affirmative consent from Virginia residents before collecting sensitive personal data and must honor requests from individuals to exercise their rights under the law.
Are there any exemptions to the Virginia CDPA?
Yes, there are certain exemptions to the Virginia CDPA. For example, the law does not apply to personal data that is collected, used, or shared in connection with a criminal investigation or prosecution. The law also does not apply to personal data that is collected, used, or shared by financial institutions, insurance companies, and certain other types of businesses that are subject to other state or federal data protection laws.
What should businesses do to prepare for this new law?
Businesses preparing for the new Virginia law should focus on a few main areas to prepare for these regulations.
Verify how your cookies are set up
You want to begin by verifying how your cookie consent banners are set up. The California law requires businesses to display this type of banner to inform customers what information is collected and how it is used and get their consent.
With the new Virginia law, businesses are going to want to adopt a similar procedure. Those targeting Virginia customers will want to read through this banner to make sure that the language aligns with the new Virginia regulations. Milestone can help businesses understand what they need to say in their banners and then produce the proper notification.
Read through your current policy with the help of Milestone to make sure that it fully aligns with the new Virginia law. Make sure customers know how their data is collected and used and what they have the right to opt out of so they can make an informed decision and you can keep up with Virginia regulators.
Make sure customers can contact you
Keep in mind also that the Virginia law requires that customers have the ability to contact businesses to request access to their data and to submit changes to their information collected. To remain compliant, therefore, you need to establish a means for consumers to contact your business, such as an email address.
This system will make it easy for customers to contact you and make it clear to them the rights they have when contacting you.
Understanding data protection laws, like the Virginia Consumer Data Protection Act, can help businesses make the optimal decisions to keep themselves compliant without missing opportunities to grow. As we prepare for the impending Virginia law to go into effect, review how these upcoming changes can impact your organization and what you can do to stay current.
If you are ready to take your online presence a step further, while also verifying that you remain compliant with Virginia’s regulations, contact us at Milestone. We will help you address these laws into manageable bites while helping you attract new customers and grow.
California Consumer Privacy Act