Businesses and consumers of Virginia will soon have to adjust to a new data privacy law.
Following in the footsteps of California, Virginia just became the second state to adopt an online data protection law for consumers that is comprehensive. This affects everyone from general consumers to companies that provide IT services and everyone in between.
Here is a closer look at the new law.
The Consumer Data Protection Act
The Consumer Data Protection Act went into effect on March 2, 2021. It applies to Virginia companies and companies doing business in Virginia that handle or process the personal information of 100,000 Virginia residents or more per year. It also applies to businesses that make at least 50% of their gross revenues from the sale of data (while dealing with at least 25,000 Virginia residents). In other words, the new law applies to bigger companies that handle the sensitive data of consumers, but not the smaller ones.
The bill names those who are in the position to control and process personal data “controllers.” Moreover, while those who use the internet on their own time are covered, there is no coverage for people who use the internet at an uncovered company.
Coverage Details for Data Privacy
Those who are qualified for coverage under the new bill will be extended the following rights in terms of how their data is handled:
Data Confirmation: Those who are protected under the new bill are able to confirm whether a controller has their data. They are also allowed to see exactly what the data is in that controller’s possession.
Data Correction: Those who are protected under this bill are also able to correct this data. If the data that is accessed is determined to be inaccurate, the user can provide the controller with the correct details.
Deletion Requests: The bill also makes it possible for protected parties to request that the data be deleted. No matter how the data was acquired, the user can demand that it is deleted from their system.
Opt Out: Lastly, protected parties have the option to opt out of having their data used in targeted advertising altogether, from having it sold to third parties, and/or from any other scenarios that can cause similar results.
What Do Businesses Need to Do?
Therefore, those who are considered controllers and offer IT services must be mindful of the type of data they gather and share. They must limit the collection to the data that is considered relevant, adequate, and reasonably necessary.
Nevertheless, when it comes to individual’s rights being violated as a result of this bill, there are not many options. Consumers are not allowed to sue companies for violating their rights. Rather, the Virginia attorney general’s office must determine which cases are valid. They then pursue all cases that they decide are worth pursuing.
Overall, when it comes to data privacy and IT services, there are plenty of things to consider. Especially if your company is considered a controller, you need to go above and beyond to ensure you collect the proper information, and that you also safeguard this data as much as possible.
If you need more information about this bill or how to keep your customer’s data safe, feel free to get support from us here at Envision Consulting. We are watching these new legal developments closely, and we are ready to take the weight of these new compliance concerns off your shoulders.