California tends to be on the forefront in consumer privacy laws within the United States. However, there is a growing momentum for other states to join California in legislating consumer privacy rights, as well as pushes for federal legislation. The latest state to join in and pass consumer privacy legislation is Virginia, with its Virginia Consumer Data Protection Act (VCDPA). With Virginia joining the fray, several questions arise, such as how closely does the VCDPA follow California's legislation? How, if at all, does it differ from already-existing legislation? What do businesses need to comply with the VCDPA, if at all?
WHAT IS THE VIRGINIA CONSUMER DATA PROTECTION ACT?
The VCDPA largely mimics elements from its Californian cousins, the California Consumer Privacy Act (CCPA) as modified by the California Privacy Rights Act (CPRA). The main features of the law include: (a) issuing the right to request what information is collected; (b) the right to correct information provided; (c) the right to deletion; (d) providing notice to consumers regarding the collection of their data; and (e) protecting consumer data. Further, the consumer requests, akin to the CCPA, do require verification, and similarly phrased data security practices that rely on how "reasonable" they are, depending on the volume and type of information at issue. Though, the VCDPA does expand on this slightly, requiring "data protection assessments" to determine the security of protected information, how it is shared and used, the benefits in sharing the information and harm resulting from any breaches.