The contents of this guidance note should not be construed as legal advice. If you have any questions about the applicability of this act to your business or your obligations, we recommend reaching out to your own independent legal counsel.
Virginia Consumer Data Protection Act (VDCPA) Overview
Learn about the Virginia Consumer Data Protection Act (VCDPA) and your potential responsibilities in this area. This guidance note is intended to provide information to our customers on the VCDPA and their potential responsibilities in this area. The contents of this guidance note should not be construed as legal advice. If you have any questions about the applicability of the VCDPA to your business or your obligations, we recommend reaching out to your own independent legal counsel.
Toast is committed to ensuring that individuals who provide personal information (hereinafter referred to as “personal data” in this article to align with the VCDPA) to Toast and our customers trust that their information is being adequately protected and managed in line with their expectations and in accordance with the applicable data privacy legislation. Part of this commitment means that our customers have the appropriate information and tools on hand to understand their obligations and how Toast can support certain aspects of these obligations.
What Is the VDCPA?
The Virginia Consumer Data Protection Act (“VCDPA”) is a comprehensive law governing consumer privacy that will come into effect on January 1, 2023.
The VCDPA imposes a number of privacy obligations on businesses that process personal data with the aim of increasing transparency in how consumers’ data is used, and to give consumers more control over their personal data. It establishes a set of individual rights for Virginia residents, including the right to delete personal data, and the right to opt out of targeted advertising.
What Is Personal Data Under the VCDPA?
The VCDPA defines Personal Data as “any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data or publicly available information.” In general, the requirements apply to the personal data of Virginia residents acting in an individual or household context (e.g. not in a commercial or employment context).
What Is Sensitive Personal Data Under the VCDPA?
Some types of personal data are defined as “Sensitive” under the VCDPA, notably these include precise geolocation (including information from derived from technology such as GPS that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet), the data of known children, as well as certain demographic details (race, religion, health/ genetic information, etc.). Under the VCDPA, processing of sensitive personal data is prohibited without the consumer's consent.
Does the VCDPA Affect My Business?
It depends. The VCDPA governs the collection and use of Virginia residents’ personal data and applies to businesses that either:
(i) during a calendar year, control or process personal data of at least 100,000 consumers, or
(ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Certain groups are exempt, such as government entities, non-profits, higher education institutions, and healthcare and financial institutions that are subject to other privacy laws.
Recommended Activities if Your Business Must Comply With the VCDPA
Think about your data and develop a data inventory: Think about your data and develop a data inventory: Although not required under the VCDPA, understanding what personal data you collect, where you collect it from, how you use it, who you share it with and how long you retain it are important for effective VCDPA compliance in other areas (e.g. notice disclosures and individual rights obligations).
Addressing individual rights compliance: The VCDPA prescribes a number of individual privacy rights (described in additional detail in this guidance note below). Among these rights, the VCDPA gives consumers the right to opt out of certain processing activities including selling, targeted advertising, and profiling. It is important that in-scope businesses understand the nature of these requests and develop a process to comply should a request come in.
Implement appropriate security measures: Review your measures that you have in place around personal data. These include administrative, technical, and physical data security practices that will protect the confidentiality, integrity, and accessibility of personal data, and the VCDPA mandates that they be appropriate for the volume and nature of the personal data that your business processes.
Privacy Statement: The VCDPA requires businesses to provide reasonably accessible, clear, and meaningful privacy notice that contains specific information, and to disclose whether personal data is sold or used for targeted advertising, and how consumers can opt out of either.
Conduct Data Protection Assessments: Businesses are required to do a data protection assessment that weighs the risks and benefits of each processing activity. The outcome of your data protection assessment may have implications for the way you work with your vendors. Under the VCDPA, data protection assessments should be completed in the following instances: processing of personal data for purposes of targeted advertising or for purposes of profiling that puts consumers at certain risk; sales of personal data; processing of sensitive data, and any processing activities involving personal data that present a heightened risk of harm to consumers.
Individual Rights Under VCDPA
Individual Rights Overview
The VCDPA details a number of individual rights (also called personal data rights) that your customers may be able to exercise depending on the applicability of the VCDPA to your business.
The right of access: Consumers have the right to confirm whether a business is processing their personal data and to access such information
The right of correction: Consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and purposes of the processing.
The right of deletion: Consumers have the right to delete the personal data they have provided or that has been collected.
The right of portability: Consumers have the right to obtain a copy of the personal data that was previously provided in a portable, and to the extent technically feasible, readily usable format that can be transmitted to another business where the processing is carried out by automated means.
The right to opt out: Consumers have the right to opt out of
(i) targeted advertising,
(ii) the sale of personal data, and
(iii) profiling in furtherance of decisions that produce legal or similarly significant effects.
Individual Rights Considerations Under the VCDPA
Below are some considerations when you receive an individual rights request from one of your customers:
Identity verification: In-scope businesses need to verify the identity of the individual making the request before providing them with the information they have requested. This prevents the disclosure of information to individuals that do not have a right to it. Think about what personal data you hold and the types of information that you may need from an individual to verify their identity within your business. Examples may include, but are not limited to names, email address, phone number, or information such as a loyalty account number. Note that under the VCDPA, a request can also be submitted by a parent acting on behalf of their child.
Applicability determination: After identity verification, the next determination is whether or not the individual is entitled to have the request fulfilled. The VCDPA provides numerous instances where a business is not required to fulfill an individual rights request. This makes sense in certain cases, for example as a party to an active contract may not be entitled to complete deletion given the need to maintain their information. We recommend familiarizing yourself with the circumstances as to when each right applies.
Timelines and communication: The VCDPA imposes a number of timelines, including for fulfillment of the right itself, for communication with the requestor, and for a requestor to appeal a business’s refusal to fulfill a request. It is important to ensure that you are aware of these timelines. In parallel with the deadlines, communication with the individual making the request is also important. It may be important to clarify the individual’s request if it is too broad or if you would like more clarity. Communication is also important to ensure that you properly verify the identity of the individual and determine whether or not their request is permissible under the VCDPA.
Rights fulfillment/ appeal process: In order to fulfill individual rights requests under the VCDPA, in-scope businesses need to understand what personal data they collect, how it is used and how they share that information. For example, if you do not know what personal data you hold or how it is shared, providing information to an individual pursuant to an access request or being able to understand what you must delete as part of a deletion request will be difficult. The VCDPA outlines a number of requirements specific to what needs to be provided to an individual so we recommend you read the VCDPA to understand these requirements and engage an independent legal counsel if you have any questions. In addition, the VCDPA requires businesses to establish an appeal process to allow requestors to contest a business’s decision not to fulfill their request.
In certain cases, Toast may be able to support our customers with individual rights fulfillment. Toast has prepared additional guidance outlining where Toast is able to assist during this process.
Check out our article How Toast can support your Virginia Consumer Data Protection Act Compliance Efforts for more information.