The privacy and consent landscape continuously changes, but we are committed to helping you stay ahead and remain compliant. Today’s update addresses the Virginia Consumer Data Protection Act (VCDPA) within the Universal Consent Platform (UCP).
VCDPA governs the collection and processing of personal data from Virginia residents. It sets out key rights, such as the right to opt-out of having personal data sold to third parties or used for targeted advertisement. The VCDPA takes effect on January 1, 2023.
Like CCPA/CPRA, the VCDPA can apply to business which are not headquartered or incorporated in Virginia, but which nonetheless do business there. The VCDPA also provides consumers with certain rights related to their personal data. VCDPA applies to companies that:
- Conduct business in Virginia or market their goods and services to Virginia residents; and
- Control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data.or process the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data.
- Control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data.
The Virginia Consumer Data Protection Act provides consumers with six central rights. In addition, consumers are afforded protection against discrimination for exercising their rights. From the business perspective, it is important to note that the Virginia Consumer Data Protection Act does not offer any exceptions to those rights. Businesses must comply with authenticated requests regardless of the impracticality or hardship of a consumer's request.
- Right to Access - Consumers have the right "to confirm whether or not a controller (i.e., business) is processing the consumer's personal data and to access such personal data."
- Right to Correct Inaccuracies - Consumers have the right to "correct inaccuracies in their personal data," based on the nature of the personal data and the purposes of processing it.
- Right to Delete - Consumers have the right to "delete personal data provided by or obtained" about the consumer.
- Right to Data Portability - Consumers have the right to "obtain a copy of the consumer's personal data that the consumer previously provided to the controller (i.e., business)" in a portable and readily usable format, if technically possible.
- Right to Know and Opt-Out - Consumers have the right "to confirm whether a controller (i.e., business) is processing the consumer's personal data." If consumers find that their personal data is being processed, they have the right to opt-out of the use of it for purposes of targeted advertising, the sale of personal data, and profiling in advancing decisions that produce legal or similarly significant effects concerning the consumer.
- Right to Appeal - Consumers have the right to appeal a controller's (i.e., business) denial to act within the time set forth in the Virginia Consumer Data Protection Act.
For this release we address a few of the major points of VCDPA regulation including:
- GPC (Global Privacy Control)
- Expanded Consumer Rights
- New Notice Template for VDCPA
What this means for you: We are committed to keeping Universal Consent Platform up to date with evolving global privacy regulations with the CPRA and VCDPA being the most relevant example of that. As a Crownpeak customer, you can be confident that your consent solution will help you stay ahead of changing legislation and provide your visitors with world-class privacy experiences.
Let's look at an example of what we can help you build.
How to set up new notices for VCDPA
- Login to UCP and go to “Manage” in the menu section.
- From there, choose the domain you wish to set up.
- Once in the setup page, navigate to the settings. From here in the “Configure Consent” column you will see a new drop down to choose the regulation you wish to set up with the following options:
- Custom Regulation
- Nevada Consumer Opt-out Law
Selecting VCDPA regulation will automatically choose “Opt-out consent” as default consent type for those regulations. You’ll no longer be able to choose “Don’t require consent” or “Prior Consent” for CCPA/CPRA/VCDPA.
Global Privacy Control option is also available for VCDPA Regulation. GPC cannot be enabled for the notices with “No Consent Notification” selected as Consent Display Type.
Expanded Consumer Rights
The "Request your Data" form has been updated with new request types specific to VCDPA.
After these forms are filled out (DNS and DSAR) an automated email is sent to the user to verify who they are, and the data is saved within the privacy UI.
To access these forms login to the privacy UI (privacy.evidon.com) and choose the “Access Requests” link in the menu. Once in this menu you will have access to your list of access requests. You can use basic sorting and wildcard search to filter to whatever level is needed. On the right side above the table there is a checkbox that lets you see the results that have not yet been verified by email.