virginia consumer data protection act
TRANSCRIPT
VIRGINIA CONSUMER
DATA PROTECTION
ACT
R E A D I N E S S C H E C K L I S T
PRACTICAL STEPS FOR YOUR PRIVACY,
LEGAL AND COMPLIANCE TEAMS
2 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // [email protected] // 503.501.5100
INTRODUCTION In January 2021, the Commonwealth of Virginia passed
the Virginia Consumer Data Protection Act (VCDPA)
which grants rights to Virginia residents over personal
information collected about them by others. While the
VDCPA does not go into effect until January 1, 2023,
the provisions in the statute are similar to other rigorous
privacy laws. Organizations must prepare for these
regulations ahead of time. Complying with VCDPA
reinforces other governance, risk, and compliance
(GRC) objectives for your organization related to data
management, data privacy, and data protection.
Does VCDPA Apply to you? ........................................... pg. 3
Consumer Data Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . pg. 4 Disclosures
and Purpose Limitations . . . . . . . . . . . . . . . . pg. 6 Sharing Personal
Info. with Third Parties . . . . . . . . . . . . pg. 7 De-Identified Data . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . pg. 8
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . pg. 9
3 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // [email protected] // 503.501.5100
DOES VCDPA APPLY TO YOU? TO YOUR DATA?
Only certain organizations and certain data are covered by
VCDPA. This depends on the nature of the organizations,
and on whether the data is subject to other regulations
that mandate privacy practices for that data.
1. Are you covered by VCDPA?
A . Does your organization control or process personal information from residents of 100,000 Virginians per year?
B . Does your organization control or process personal information from 25,000 Virginians and derive more than half of revenue from the sale of personal information?
If the answer to either question is “Yes” then you are subject to
VCDPA, unless you qualify for one of the following exemptions.
2. Some organizations meet the coverage criteria but are still exempt from VCDPA. To determine if you are exempt, you must answer the following questions:
Is your organization a:
A . state agency, board, commission, or political subdivision?
B . financial institution subject to GLBA (Graham-Leach-Bliley Act)?
C . covered by HIPAA (Health Insurance Portability and Accountability Act)?
D . nonprofit?
E . institution of higher education?
If you answered yes to any of these questions, your organization is
exempt from the VCDPA.
3. There are other reasons that VCDPA may not apply to certain personal data held by your organization. For example, VCDPA does not apply to employee data . It also does not apply to data that already has personal data handling rules under federal law .
Does your organization process personal data that is regulated by
any of the following:
A . Gramm-Leach-Bliley Act?
B . Health Insurance Portability and Accountability Act?
C . Fair Credit Reporting Act?
D . Drivers Privacy and Protection Act?
E . Family Educational Rights and Privacy Act?
F . Farm Credit Act?
G . Children’s Online Privacy and Protection Rule?
H . Health Care Quality Improvement Act?
I . Patient Safety and Quality Improvement Act?
If you answered yes to any of these questions for any of your data,
that data is exempt from VCDPA requirements.
4 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // [email protected] // 503.501.5100
CONSUMER DATA RIGHTS
Consumers have a variety of rights over personal data about them that is held by others. If your
organization holds personal data, it must allow consumers to exercise these rights. This includes a
means of submitting requests, a means of validating that the requests really are from the particular
consumer, a notification process for situations when the organization would take no action (i.e. if the
data had been deleted already as part of normal data retention processing) and an appeal process
where the consumer could appeal a decision to take no action. If you answer “No” to any one of
these questions, you have some work to do to prepare for the VCDPA.
4. Does your organization have at least one means by which consumers can request to exercise their rights over their personal data?
A . Is the means a normal way that consumers would interact with your organization?
B . Is the means available without an account?
5. Is this means confidential and secure?
6. Can the organization validate the identity of the person making the request?
7. Can the organization take the following actions for a consumer within 45 days of receiving a request for the action:
A . Delete his/her personal information?
B . It is important that any system that deletes information be linked to other systems in the legal and compliance area. This one must know about data that is under a retention obligation, or data that is under legal hold, or data that is needed as part of an ongoing investigation.
C . Obtain a copy of his/her personal information held by the controller?
D . Obtain a copy of his/her personal information held by the controller in electronic form for processing/portability purposes (to be loaded into another controller)?
E . Opt-out of the processing of personal data for targeted advertising?
F . Opt-out of the sale of personal data?
Opt-out of the use of personal data for profiling the consumer to make decisions of a legal or otherwise significant nature? Note that “sale” does has a different definition than in California. In Virginia, there must be an exchange of monetary consideration.
8. Does the organization communicate with a consumer if it decides not to take action on a request?
9. Does the organization have an appeal procedure for its decisions not to take action?
A . Is this procedure disclosed along with the notice of these rights, as well as the instructions for making a complaint to the Attorney General?
10. Does the organization have reasonable security measures in place to protect personal and sensitive information? Have these measures been validated or audited in any way?
11. Does the organization discriminate against people who have opted out of the sale of their data or having their data stored at all?
CONSUMER DATA RIGHTS
CONTINUED
12. Does the organization process personal data from children? If “yes”:
A . Do you obtain consent to process this data from a parent or guardian?
B . Does your processing comply with COPPA?
13. Does the organization have an opt-in (specific consent) process for sensitive data?
“Sensitive Data” is a category of personal data that includes:
1 . Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
2 . The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
3 . The personal data collected from a known child; or
4 . Precise geolocation data.
If you answered “no” to any of the questions in this section, there is
work to do on your implementation of consumer’s individual rights
over their personal and sensitive data.
5 Exterro - Virginia Compliance Checklist
DISCLOSURES AND PURPOSE LIMITATIONS
The VCDPA requires organizations to post a privacy notice
for consumers and disclose that they are collecting personal
information and why they are collecting it. Also, the data must
only be used for the disclosed purpose.
14. Does your organization disclose the purpose for collecting personal information?
15. Has the organization limited the personal information you collect to that which is needed for the disclosed purpose?
16. Does your organization get specific consent to use sensitive information for that purpose?
17. Does the organization get consent if it wishes to process personal data it has collected for reasons other than the disclosed purposes?
18. Does your privacy notice include:
A . The categories of personal data you collect?
B . The purpose for collecting personal data?
C . How consumers may exercise their rights under the law, and how they can appeal a decision by the company regarding those rights?
D . The categories of personal data that are shared with third parties?
E . The categories of third parties with whom this data may be shared?
F . Whether you use their personal data for targeted advertising, and if so, how to opt out of that use?
If you answered “no” to any of these questions, you have some work
to do on your privacy notices, disclosures, and consent.
7 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // [email protected] // 503.501.5100
SHARING PERSONAL INFO. WITH THIRD PARTIES, OR PROCESSING INFORMATION COLLECTED BY OTHERS One of the areas of greatest concern with respect to privacy and data protection
is third party processing. Many of the significant data breaches have been the
result of failures of third parties to maintain similar standards to the primary
collector of the data. In the parlance of VCDPA, a “controller” is the organization
that determines the purpose and means of processing the personal data, and
a “processor” is an organization that carries out the processing. Whether your
organization is acting as a processor or controller in a third-party relationship,
it is important that you understand the requirements the law places on that
relationship, and that your contractual agreements and operational controls
reflect these requirements.
19. Do the contracts you have with third parties that process personal data (or for whom you process personal data) include:
A . The nature and purpose of processing
B . The types of personal data being processed
C . The duration of processing
20. Are all third parties subject to confidentiality agreements for personal data?
21. Is the processor required to delete or return all personal data at the end of the processing, or at the controller’s discretion?
22. Are all processors subject to periodic audits of their privacy and security practices?
23. Are data protection assessments conducted for data used in targeted advertising?
24. Are data protection assessments conducted for sensitive personal data?
25. Are data protection assessments conducted for data that is purchased or sold?
26. Are data protection assessments conducted for data that is used for profiling a consumer?
If you answered “no” to any of the questions, you have some work to
do on your third-party agreements and operational processes.
8 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // [email protected] // 503.501.5100
DE-IDENTIFIED DATA One method of retaining the value of personal data without
the risk is to de-identify it. This involves removing or
obfuscating the personal information in such a way that its
properties are retained, but the specific values are not valid.
However, in the past several years it has been shown that
de-identified data can be reidentified and that some de-
identification methods are insufficient for certain classes of
data. VCDPA contains some specific rules with regard to how
your organization uses de-identified personal data.
27. Can de-identified data be associated with individual consumers?
28. Does your organization have a formal commitment not to re-identify de-identified data?
29. Does your organization contractually obligate any third party that uses de-identified data to commit to the restrictions in the VCDPA?
If you answered “no” to any of the above questions, you have work to
do on your practices in the use of de-identified data.
30. Is your organization reasonably capable of associating a consumer rights request from section 2 with the personal data without it being unreasonably burdensome?
31. Does your organization use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer?
32. Does your organization sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor?
If you answered yes to any of these questions about
personal data, you must allow consumers the rights that were
discussed in section 2.
C O N C L U S I O N
Data Protection is Complex As you can see, compliance with the Virginia Consumer Data Protection
Act is complex, but with adequate preparation, your organization should
be in compliance by January 1, 2023.
Exterro is the world leader in legal GRC software. Helping customers
around the globe comply with privacy legislation, fulfill consumer data
rights, identify, manage and govern data, and orchestrate security
incident response. To see how Exterro can help your organization
comply with the VCDPA,
CL I CK H E R E
For more information on the Virginia
Consumer Data Protection Act, click here
9 Exterro - Virginia Compliance Checklist