Drive VCDPA sensitive data compliance

VCDPA Overview

Virginia Consumer Data Privacy Act

The Virginia Consumer Data Protection Act (VCDPA) is a state law in Virginia that aims to protect the personal data of consumers in Virginia. The VCDPA went into effect on January 1, 2023. It was enacted in March 2021 and passed into law with a delayed effective date to allow companies time to prepare for the new requirements. 

The VCDPA applies to companies that do business in Virginia and that meet certain thresholds for the collection and use of personal data. It sets out rules for how companies can collect, use, and share personal data, and it gives consumers certain rights with respect to their personal data.

Businesses impacted

The VCDPA applies to businesses that do business in Virginia and that meet certain thresholds for the collection and use of personal data. Specifically, the VCDPA applies to “controllers” and “processors” of personal data.

A controller is a business that determines the purposes and means of processing personal data. A processor is a business that processes personal data on behalf of a controller.

The VCDPA applies to controllers and processors that meet any of the following thresholds:

1. Annual gross revenue of more than $25 million.
2. Process the personal data of more than 100,000 consumers, households, or devices.
3. Derive more than 50% of gross revenue from the sale of personal data.

If your business meets any of the thresholds above and does business in Virginia, it may be subject to the VCDPA. It’s important to carefully review the requirements of the VCDPA to ensure that your business is in compliance.

Data types covered

The VCDPA covers “personal data,” which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data includes both personal identifying information (such as a person’s name or address) and personal characteristics (such as a person’s gender or age).

The VCDPA applies to the collection, use, and sharing of personal data by businesses that do business in Virginia and that meet certain thresholds for the collection and use of personal data. It sets out rules for how these businesses can collect, use, and share personal data, and it gives consumers certain rights with respect to their personal data.

The VCDPA does not apply to certain types of data, such as data collected for national security or law enforcement purposes. It also does not apply to certain types of businesses, such as financial institutions that are subject to other state and federal data protection regulations.

Compliance requirements

Here are some key compliance requirements of the VCDPA:

1. Legal basis for collection: Companies must have a legal basis for collecting personal data from consumers, such as consent or a contract. They must be transparent about what data they are collecting and why.
2. Purpose limitation: Companies can only use personal data for the purposes for which it was collected, unless the consumer has given their consent for a different use.
3. Data minimization: Companies must only collect and process the minimum amount of personal data necessary to fulfill the purposes for which it was collected.
4. Data security: Companies must implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, or disclosure.
5. Data retention: Companies must only retain personal data for as long as necessary to fulfill the purposes for which it was collected.
6. Consumer rights: Companies must provide consumers with the right to access their personal data, to correct any errors in their personal data, and to delete their personal data in certain circumstances. They must also provide consumers with the right to opt out of the sale of their personal data.

It’s important for businesses subject to the VCDPA to carefully review and understand these requirements to ensure compliance with the law. Non-compliance with the VCDPA can result in fines and other penalties.

Enforcement and penalties

The Virginia Consumer Data Protection Act (VCDPA) establishes a number of enforcement and penalty provisions to ensure compliance with the law. The VCDPA is enforced by the Virginia Attorney General, who has the authority to bring enforcement actions against businesses that violate the law.

Under the VCDPA, the Virginia Attorney General has the power to:

1. Issue cease and desist orders to businesses that are in violation of the VCDPA.
2. Impose civil penalties on businesses that violate the VCDPA. The amount of the penalty depends on the severity of the violation and the size of the business. For example, a business that violates the VCDPA may be subject to a penalty of up to $7,500 for each violation.
3. Require businesses to take corrective action to come into compliance with the VCDPA.

In addition to these enforcement powers, the VCDPA also allows consumers to bring private lawsuits against businesses that violate the law. Consumers can seek damages, attorneys’ fees, and other relief in these lawsuits.

Six ways Qohash drives compliance

Breach identification

Monitor sensitive data risk around the clock and receive alerts the instant risky accumulation, deletion or exfiltration occurs. If an incident occurs, use keyword search to look up a specific data element and track the full data lineage, including the exact location where the data got out of an environment, where it ended up – every touch point in between.

Sensitive data inventory

Qohash provides a complete inventory of sensitive, unstructured data at-rest. Qohash discovers sensitive data 50x faster than alternatives, across any data source, in any location. Qohash provides labeling, classification, custom RegEx and keyword searches, plus ranked and contextualized risk.

Data deletion

Run keyword searches by name, date, credit card number and more to find all copies of sensitive data across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations. Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.

Risk assessment

A foundational step in conducting a risk assessment, Qohash provides an inventory of regulated data across every data source. It provides access control lists for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much sensitive data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.

Policy enforcement

Qohash provides auditors with evidence that sensitive data is monitored and cross-referenced to employee interactions, enabling in-the-moment policy enforcement. Qohash looks into files to track data elements. It monitors those elements and cross-references them to employees and locations. Know the instant an employee has a risky interaction with sensitive data. Trace the lineage of any data element that moves onto workstations, for faster remediation.

Access control

Quickly create an access control list of all regulated data. Provide evidence of restrictions and show regular evaluation of whether those with access have a legitimate business need for it.