职业发展机会 联系 搜索

Virginians Can Protect Personal Data under New Virginia Consumer Data Protection Act


It is no secret that businesses have been collecting, 购买, and selling personal information about consumers for years.  It is a safe bet that every time you interact with a company it is recording the information it receives and building a profile on you based on demographic data, such as your shirt size or whether you own a pet, 以及你对消费品的个人偏好.

Companies use this information to better market their goods and services to you, but they may also buy and sell your information on the open market.  直到最近, 很多此类活动是不受监管的, and companies have been able to collect and share your personal information with little governmental oversite and without your knowledge or permission.

In 2023 that will no longer be the case in Virginia.  California became the first state to enact a comprehensive privacy law last year, which it modeled on privacy regulations from the European Union.  3月2日, 2021, 弗吉尼亚加入加州, becoming the second state to pass such a law when it enacted the Virginia Consumer Data Protection Act (“VCDPA”).

新法律将于1月1日生效, 2023 and applies to all entities “who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and who, 在历年期间, :

  1. control or process personal data of at least 100,000名弗吉尼亚居民, or
  2. derive over 50% of gross revenue from the sale of personal data (though the statute is unclear if the revenue threshold applies to Virginia residents only) and control or process personal data of at least 25,000名弗吉尼亚居民.

一旦VCDPA生效, you will be able to demand that these companies provide you with a copy of all your personal data, which is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.“不是的。, 然而, include publicly available information or information that, 孤独, 不能识别消费者.   进一步, it gives you the power to edit and delete your personal data and, 如果你选择, to opt out of allowing the covered businesses to use your personal data for marketing or other purposes.

The statute also requires the covered businesses to provide consumers with a method of exercising their rights and to provide each consumer with up to two cost-free responses a year.  Businesses can charge a reasonable fee for handling additional requests.  一旦收到请求, 该公司有45天的时间做出回应, although it can extend the response time by an additional 45 days when “reasonably necessary.”

在硬币的另一面, businesses must obtain consent before processing “sensitive data,” which is defined to include “[p]ersonal data revealing racial or ethnic origin, 宗教信仰, 精神或身体健康诊断, 性取向, or citizenship or immigration status…[or that is] collected from a known child.”

VCDPA不包括非营利组织, 高等教育机构, 或者州和地方政府机构.  The law also does not cover information subject to the Fair Credit Reporting Act (FCRA) and the Children's Online Privacy Protection Act () or personal data processed in the context of employment.

不像加州的隐私法, which allows individuals to bring suit on their own behalf, the VCDPA only provides for enforcement by the Attorney General.  根据法令, once the Attorney General provides notice of a violations, the offending business has thirty days to correct the problem and confirm in writing to the Attorney General that it will not violate the law again.  If the violator fails to timely cure the problem or continues to violate the law, the Attorney General can seek damages of up to $7,每次违规500英镑.

Several other states are currently considering their own consumer privacy laws, which has led to a growing concern that businesses will be forced to navigate a patchwork of requirements in different states.  This may place pressure on Congress to pass its own data protection legislation that would set national standards and requirements.  在那之前, businesses will have over a year and a half to reassesses their collection of personal information and prepare for compliance with VCDPA.

杰夫•威尔逊 是一个现金网官网 & 现金网官网 shareholder focusing his practice on employment law matters, 包括咨询和商业诉讼.

了下: 其他主题