Attorney General Jay Jones Reminds Virginians of Their Data Privacy Rights

Attorney General Jay Jones Reminds Virginians of Their Data Privacy Rights

Richmond, VA – As part of National Consumer Protection Week, Virginia Attorney General Jay Jones is highlighting how the Virginia Consumer Data Protection Act (VCDPA) protects the personal data of Virginians. As the second state in the country to implement a comprehensive data privacy law, Virginia is a leader in data privacy law.

“Virginians have the right to their personal data under Virginia law,” said Attorney General Jones. “Standing up for every Virginian means using every tool at our disposal to put Virginians first, protect them from bad actors, and ensure that their rights are protected, including the right to protect their data and privacy.”

In a world of emerging technologies, large companies have been able to collect and sell the personal data of virtually most of Americans. For example, the Electronic Privacy Information Center indicates that “[t]housands of data brokers in the United States buy, aggregate, disclose, and sell billions of data elements on Americans with virtually no oversight.”[1] As the world continues to do more business and share more information online, companies will be able to collect more of Americans’ personal data without any input or decisions made by those consumers.

The VCDPA gives Virginians a seat at the table with these large companies when it comes to their data privacy rights. This law requires that businesses holding large amounts of personal data of Virginians give Virginians the following privacy rights and processes for invoking their rights to:

• confirm if their personal data is being processed;
• correct inaccuracies in their personal data;
• delete their personal data;
• obtain a copy of their personal data, and
• opt out of processing of their personal data for purposes of targeted advertising or the sale of their personal data.

The law broadly defines personal data to include “any information that is linked or reasonably linkable to an identified or identifiable natural person” and that is not publicly available information. Some examples of personal data may include home address, email address, phone number, Social Security number, birth date, order history, and search history.

In addition, the law provides even stronger protections for sensitive data and requires that businesses subject to the law obtain the consumer’s consent before processing their sensitive data. Sensitive data includes a person’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; processing of genetic or biometric data for the purposes of uniquely identifying that person; personal data collected from a known child (under 13); and precise geolocation data.

For example, under this law, a company that holds personal data of over 100,000 Virginians such as a grocery store chain, data broker, social media platform, or a subscription company, generally must honor the request of a Virginian who wants their personal data to be deleted. The Virginian can also obtain a copy of all their personal data being stored with the company. If a company wants to process a Virginian’s sensitive personal data as it relates to their religious beliefs or racial origin, then the company must obtain the consumer’s consent before processing it.

The law also requires these companies to provide a “reasonably accessible, clear, and meaningful privacy notice” for Virginians to easily understand how to invoke their rights and what the company is doing with their data, including clearly and conspicuously disclosing if a company sells personal data for targeted advertising.

If Virginians think that their consumer data rights under the VCDPA are being violated, they can file complaints with the Virginia Attorney General’s Office at the following link: https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.

The Attorney General has authority to enforce the VCDPA and can notify controllers and processors of data that a violation of the law has occurred. These entities have 30 days to inform the Attorney General’s office in writing that the violation has been cured. If the controller or processor fails to cure violations within the 30-day period, the Attorney General can file a lawsuit against the entity and may seek civil penalties of up to $7,500 for each violation of the VCDPA. For more information on the VCDPA, please visit our website here.

For further assistance, call our Consumer Protection Hotline at 1-800-552-9963 if calling from Virginia, or (804) 786-2042 if calling from the Richmond area or from outside Virginia.

[1] https://epic.org/issues/consumer-privacy/data-brokers/

###