Virginia Consumer Data Protection Act (VCDPA): Just The Facts

As predicted, the passing of the California Consumer Privacy Act of 2018 (CCPA) has inspired other states to follow suit with similar privacy laws. According to the National Law Review, “On February 3, 2021, the Virginia Senate unanimously passed the Virginia Consumer Data Protection Act (VCDPA), SB1392.” Once signed into law by Governor Northam, the VCDPA will take effect January 1, 2023, the same day as the California Privacy Rights Act (CPRA), a law expanding the CCPA to add stronger data privacy rules for businesses and additional consumer rights. The lead time for the VCDPA and CPRA allows businesses that collect and utilize consumer data time to prepare and adapt to the new regulations.

What Are The Guidelines Of The VCDPA?

The VCDPA is modeled after the CCPA and the CPRA and includes similar elements. The National Law Review explains the VCDPA has been passed to let consumers:

Confirm whether or not a controller is processing their personal data and to access such personal data;

Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data;

Delete personal data provided by or obtained about them;

Obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and

Opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.

Essentially, once the VCDPA becomes law, consumers (defined within the law as “a natural person who is a resident of the Commonwealth [of Virginia] acting only in an individual or household context.”) must be able to “access, correct and delete personal data.” Consumers will be able to opt out of having their non-sensitive personal data used for targeting in advertising, and the VCDPA will require businesses to ask for direct consent before collecting and using sensitive data, including race, sexual orientation and immigrant status. Only the Attorney General of Virginia will have the authority to sue businesses who aren’t in compliance. 

Do Advertisers Support The VCDPA?

Microsoft and Amazon testified on behalf of the VCDPA. More and more, tech companies are looking to endorse privacy measures that give consumers control while still allowing for individual opt-ins that support targeting and the use of first-party data. Some privacy advocates do not see the VCDPA as going far enough, and are pushing for “opt-out requests sent through browser controls,” although those are less popular with the ad industry.

What Does The VCDPA Mean For Advertisers?

Like the CCPA, the VCDPA could have an impact on personalized advertising, which businesses must consider as they look ahead to the VCDPA becoming law. However, businesses that comply with CCPA will likely be prepared for VCDPA to take effect. 

Regardless, businesses should be proactive and prepare for the coming changes, including looking at the data they collect, how data is stored and how data is integral to their campaigns. Additionally, all brands and businesses should be making efforts to reassure consumers that their data isn’t being misused or otherwise compromised, setting the stage for more opt-ins when the time comes.

Are You Looking For Safe Ways To Reach Opted-In Audiences?

Digital Media Solutions® (DMS) understands how important it is for brands to adhere to regulations like CCPA, TCPA and CAN-SPAM, so we have prioritized and operationalized compliance across everything we do to offer brand-safe digital consumer engagement opportunities. DMS de-risks ad spend while helping our advertiser clients connect with more consumers and expand their customer bases.