No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Virginia Is for Lovers (of Data Privacy)

New law first of 4 state-level regulations to come online in 2023

by Alex Tray
May 17, 2023
in Data Privacy
virginia flag

In the three years since California implemented its landmark data privacy act (CCPA), more than 20 other states have considered or passed similar rules. 2023 will mark a major shift in the U.S. data privacy landscape, as all four states with new data privacy rules since California will start enforcing their laws this year — starting with the Virginia Consumer Data Protection Act, which went into effect in January. IT analyst Alex Tray talks about what makes the new law unique.

Although similar features are typical among privacy laws, compliance with GDPR or CCPA won’t be enough to comply with Virginia Consumer Data Protection Act, which went into effect Jan. 1, 2023. Industry experts have already called the act “a very Virginia” move, representing a special approach to privacy regulations, which is different from both EU GDPR and California’s law. 

The new law grants Virginia residents the right to know and decide how their personal data is used by organizations, allowing people to send requests to the organizations holding their personal information, seeking:

  • Confirmation of personal information being processed
  • Access to their personal data
  • Corrections to personal data in case of inaccuracies
  • Deletion of their personal data
  • A copy of their personal data
  • Restriction of processing of their data for the purposes of targeted advertisements, sales of personal data or profiling

Notably, there is no exception to the profiling opt-out, making the VCDPA stricter than the EU GDPR in this regard. Under the VCDPA, an organization must receive a customer’s clear consent to use their personal data for profiling purposes.

abc blocks
Data Privacy

Data Privacy Rules Even a Kindergartener Can Understand

by Arlo Gilbert
May 3, 2023

Regulations on consumer data privacy can get complex, but one thing should remain simple: Responsible data governance means simply doing the right thing. Or at least that’s what Osano’s Arlo Gilbert believes.

Read moreDetails

A first for U.S. law

Similar to language in the EU GDPR, under Virginia’s law, organizations that must comply are those that “control or process” personal data, and the law defines those terms separately, which makes it unique among data privacy laws in the U.S.

  • A controller is an individual or entity that “determines the purpose and means of processing personal data” alone or with other individuals or entities. Under the act, the purpose of a data controller is strictly limited. Consumer data collection is allowed only within the frames of the intended purposes the consumer is aware of.
  • A processor, then, is a person or organization that processes data on behalf of a controller.

Virginia requires contracts between a controller and a processor that regulate the processing of consumer data, ensuring that processors maintain required confidentiality levels.

Exemptions & distinctions from CCPA

Nonprofits, entities covered by HIPAA laws, those whose data processing is regulated under the Fair Credit Reporting Act and those covered by the Gramm-Leach-Bliley Act (GLBA) are all exempted from the VCDPA.

The exemption for financial institutions under the GLBA is worth a separate note. The VCDPA protection is quite broad here compared to other laws, including the CCPA, which exempts only the data that is subject to GLBA, while the Virginia act exempts the entire organization.

Additionally, third-party violations of the Virginia CDPA won’t lead to penalizing the original data controllers and processors. A liability can only be applied when a data controller or processor was clearly aware of a third-party’s violation intent.

The VCDPA demands organizations to provide consumers with the ability to opt-in to personal data processing and to complete every request within 60 days. Ensure that your resources have the necessary disclaimers that a consumer can see — a preliminary filled checkbox doesn’t work here.

Compliance with the VCDPA

Many small businesses are excluded from the CDPA, particularly if they don’t generate significant revenue from the sale of personal data. Organizations are covered if they control or process the data of at least 100,000 consumers, regardless of what they do with the data, or if they handle data for 25,000 consumers and derive more than half their revenue from selling that data.

For companies who should comply with the law but don’t, penalties are far short of the stiff fines they can face for violating the EU’s GDPR, but the Virginia Attorney General’s Office can levy up to a $7,500 fine per violation in the state.

In many ways, the VCDPA is an improvement over the EU’s GDPR, and it goes further than the CCPA in several areas, including prohibiting automated decisions regarding consumer data profiling. Regardless of where they’re based, organizations would be wise to take the opportunity to review their collection and processing of consumer data to adhere to emerging data privacy best practices.


Tags: California Consumer Privacy Act (CCPA)GDPR
Previous Post

Best Practices for Fourth and Nth Party Management

Next Post

Inside the IPO Process: What It’s Really Like to Go Public

Alex Tray

Alex Tray

Alex Tray is an accomplished system administrator with a bachelor's degree in computer science and a decade of experience in IT. He has contributed to the growth of several startups in Silicon Valley and is now a cybersecurity consultant and freelance writer at NAKIVO Backup and Replication. Alex specializes in Windows server and desktop administration, as well as Azure, Active Directory, Office 365, DNS, DHCP, Group Policy, Endpoint Manager (Intune) and Microsoft Endpoint Configuration Manager (SCCM).

Related Posts

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

examining data on laptop screen

Privacy Rights Surge Forces Rethink of Data Management

by Gal Ringel
March 14, 2025

As global privacy regulations multiply, organizations face mounting pressure to efficiently respond to data subject requests amid complex data environments

Next Post
nyse bell 1956

Inside the IPO Process: What It’s Really Like to Go Public

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights