VIRGINIA CONSUMER

DATA PROTECTION

ACT

R E A D I N E S S C H E C K L I S T

PRACTICAL STEPS FOR YOUR PRIVACY,

LEGAL AND COMPLIANCE TEAMS

2 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // info@exterro.com // 503.501.5100

INTRODUCTION In January 2021, the Commonwealth of Virginia passed

the Virginia Consumer Data Protection Act (VCDPA)

which grants rights to Virginia residents over personal

information collected about them by others. While the

VDCPA does not go into effect until January 1, 2023,

the provisions in the statute are similar to other rigorous

privacy laws. Organizations must prepare for these

regulations ahead of time. Complying with VCDPA

reinforces other governance, risk, and compliance

(GRC) objectives for your organization related to data

management, data privacy, and data protection.

Does VCDPA Apply to you? ........................................... pg. 3

Consumer Data Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . pg. 4 Disclosures

and Purpose Limitations . . . . . . . . . . . . . . . . pg. 6 Sharing Personal

Info. with Third Parties . . . . . . . . . . . . pg. 7 De-Identified Data . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . pg. 8

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . pg. 9

3 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // info@exterro.com // 503.501.5100

DOES VCDPA APPLY TO YOU? TO YOUR DATA?

Only certain organizations and certain data are covered by

VCDPA. This depends on the nature of the organizations,

and on whether the data is subject to other regulations

that mandate privacy practices for that data.

1. Are you covered by VCDPA?

A . Does your organization control or process personal information from residents of 100,000 Virginians per year?

B . Does your organization control or process personal information from 25,000 Virginians and derive more than half of revenue from the sale of personal information?

If the answer to either question is “Yes” then you are subject to

VCDPA, unless you qualify for one of the following exemptions.

2. Some organizations meet the coverage criteria but are still exempt from VCDPA. To determine if you are exempt, you must answer the following questions:

Is your organization a:

A . state agency, board, commission, or political subdivision?

B . financial institution subject to GLBA (Graham-Leach-Bliley Act)?

C . covered by HIPAA (Health Insurance Portability and Accountability Act)?

D . nonprofit?

E . institution of higher education?

If you answered yes to any of these questions, your organization is

exempt from the VCDPA.

3. There are other reasons that VCDPA may not apply to certain personal data held by your organization. For example, VCDPA does not apply to employee data . It also does not apply to data that already has personal data handling rules under federal law .

Does your organization process personal data that is regulated by

any of the following:

A . Gramm-Leach-Bliley Act?

B . Health Insurance Portability and Accountability Act?

C . Fair Credit Reporting Act?

D . Drivers Privacy and Protection Act?

E . Family Educational Rights and Privacy Act?

F . Farm Credit Act?

G . Children’s Online Privacy and Protection Rule?

H . Health Care Quality Improvement Act?

I . Patient Safety and Quality Improvement Act?

If you answered yes to any of these questions for any of your data,

that data is exempt from VCDPA requirements.

4 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // info@exterro.com // 503.501.5100

CONSUMER DATA RIGHTS

Consumers have a variety of rights over personal data about them that is held by others. If your

organization holds personal data, it must allow consumers to exercise these rights. This includes a

means of submitting requests, a means of validating that the requests really are from the particular

consumer, a notification process for situations when the organization would take no action (i.e. if the

data had been deleted already as part of normal data retention processing) and an appeal process

where the consumer could appeal a decision to take no action. If you answer “No” to any one of

these questions, you have some work to do to prepare for the VCDPA.

4. Does your organization have at least one means by which consumers can request to exercise their rights over their personal data?

A . Is the means a normal way that consumers would interact with your organization?

B . Is the means available without an account?

5. Is this means confidential and secure?

6. Can the organization validate the identity of the person making the request?

7. Can the organization take the following actions for a consumer within 45 days of receiving a request for the action:

A . Delete his/her personal information?

B . It is important that any system that deletes information be linked to other systems in the legal and compliance area. This one must know about data that is under a retention obligation, or data that is under legal hold, or data that is needed as part of an ongoing investigation.

C . Obtain a copy of his/her personal information held by the controller?

D . Obtain a copy of his/her personal information held by the controller in electronic form for processing/portability purposes (to be loaded into another controller)?

E . Opt-out of the processing of personal data for targeted advertising?

F . Opt-out of the sale of personal data?

Opt-out of the use of personal data for profiling the consumer to make decisions of a legal or otherwise significant nature? Note that “sale” does has a different definition than in California. In Virginia, there must be an exchange of monetary consideration.

8. Does the organization communicate with a consumer if it decides not to take action on a request?

9. Does the organization have an appeal procedure for its decisions not to take action?

A . Is this procedure disclosed along with the notice of these rights, as well as the instructions for making a complaint to the Attorney General?

10. Does the organization have reasonable security measures in place to protect personal and sensitive information? Have these measures been validated or audited in any way?

11. Does the organization discriminate against people who have opted out of the sale of their data or having their data stored at all?

CONSUMER DATA RIGHTS

CONTINUED

12. Does the organization process personal data from children? If “yes”:

A . Do you obtain consent to process this data from a parent or guardian?

B . Does your processing comply with COPPA?

13. Does the organization have an opt-in (specific consent) process for sensitive data?

“Sensitive Data” is a category of personal data that includes:

1 . Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

2 . The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;

3 . The personal data collected from a known child; or

4 . Precise geolocation data.

If you answered “no” to any of the questions in this section, there is

work to do on your implementation of consumer’s individual rights

over their personal and sensitive data.

5 Exterro - Virginia Compliance Checklist

DISCLOSURES AND PURPOSE LIMITATIONS

The VCDPA requires organizations to post a privacy notice

for consumers and disclose that they are collecting personal

information and why they are collecting it. Also, the data must

only be used for the disclosed purpose.

14. Does your organization disclose the purpose for collecting personal information?

15. Has the organization limited the personal information you collect to that which is needed for the disclosed purpose?

16. Does your organization get specific consent to use sensitive information for that purpose?

17. Does the organization get consent if it wishes to process personal data it has collected for reasons other than the disclosed purposes?

18. Does your privacy notice include:

A . The categories of personal data you collect?

B . The purpose for collecting personal data?

C . How consumers may exercise their rights under the law, and how they can appeal a decision by the company regarding those rights?

D . The categories of personal data that are shared with third parties?

E . The categories of third parties with whom this data may be shared?

F . Whether you use their personal data for targeted advertising, and if so, how to opt out of that use?

If you answered “no” to any of these questions, you have some work

to do on your privacy notices, disclosures, and consent.

7 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // info@exterro.com // 503.501.5100

SHARING PERSONAL INFO. WITH THIRD PARTIES, OR PROCESSING INFORMATION COLLECTED BY OTHERS One of the areas of greatest concern with respect to privacy and data protection

is third party processing. Many of the significant data breaches have been the

result of failures of third parties to maintain similar standards to the primary

collector of the data. In the parlance of VCDPA, a “controller” is the organization

that determines the purpose and means of processing the personal data, and

a “processor” is an organization that carries out the processing. Whether your

organization is acting as a processor or controller in a third-party relationship,

it is important that you understand the requirements the law places on that

relationship, and that your contractual agreements and operational controls

reflect these requirements.

19. Do the contracts you have with third parties that process personal data (or for whom you process personal data) include:

A . The nature and purpose of processing

B . The types of personal data being processed

C . The duration of processing

20. Are all third parties subject to confidentiality agreements for personal data?

21. Is the processor required to delete or return all personal data at the end of the processing, or at the controller’s discretion?

22. Are all processors subject to periodic audits of their privacy and security practices?

23. Are data protection assessments conducted for data used in targeted advertising?

24. Are data protection assessments conducted for sensitive personal data?

25. Are data protection assessments conducted for data that is purchased or sold?

26. Are data protection assessments conducted for data that is used for profiling a consumer?

If you answered “no” to any of the questions, you have some work to

do on your third-party agreements and operational processes.

8 Exterro - Virginia Compliance Checklist © 2021 Exterro, Inc. // exterro.com // info@exterro.com // 503.501.5100

DE-IDENTIFIED DATA One method of retaining the value of personal data without

the risk is to de-identify it. This involves removing or

obfuscating the personal information in such a way that its

properties are retained, but the specific values are not valid.

However, in the past several years it has been shown that

de-identified data can be reidentified and that some de-

identification methods are insufficient for certain classes of

data. VCDPA contains some specific rules with regard to how

your organization uses de-identified personal data.

27. Can de-identified data be associated with individual consumers?

28. Does your organization have a formal commitment not to re-identify de-identified data?

29. Does your organization contractually obligate any third party that uses de-identified data to commit to the restrictions in the VCDPA?

If you answered “no” to any of the above questions, you have work to

do on your practices in the use of de-identified data.

30. Is your organization reasonably capable of associating a consumer rights request from section 2 with the personal data without it being unreasonably burdensome?

31. Does your organization use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer?

32. Does your organization sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor?

If you answered yes to any of these questions about

personal data, you must allow consumers the rights that were

discussed in section 2.

C O N C L U S I O N

Data Protection is Complex As you can see, compliance with the Virginia Consumer Data Protection

Act is complex, but with adequate preparation, your organization should

be in compliance by January 1, 2023.

Exterro is the world leader in legal GRC software. Helping customers

around the globe comply with privacy legislation, fulfill consumer data

rights, identify, manage and govern data, and orchestrate security

incident response. To see how Exterro can help your organization

comply with the VCDPA,

CL I CK H E R E

For more information on the Virginia

Consumer Data Protection Act, click here

9 Exterro - Virginia Compliance Checklist