Additional Business Obligations of VCDPA
VCDPA mandates that businesses must be transparent with their data processing practices. This means businesses must engage in purpose limitation, data minimization, and non-discrimination.
Purpose limitation means that business are not allowed to process consumers' personal data for purposes that have not been specified to the consumer. If businesses want to process users' personal data for a secondary purpose, they must obtain user consent.
To ensure your business is practicing purpose limitation properly, identify the data your business needs to collect and what for what specific purpose. This will help your business make sure it’s only collecting users' personal data that’s “adequate, relevant, and reasonably necessary.”
Only collecting personal data that’s necessary to fulfill a specific purpose is also called data minimization. Data minimization doesn’t simply mean collecting less data. Rather, it’s being more intentional about the data your organization collects. The less data it has, the less chance of potential data misuses, like unauthorized access, processing, or disclosures.
Finally, businesses are not allowed to discriminate against a consumer for exercising their rights For example, if a user opts out of certain kinds of processing, the business cannot deny consumers a good or service, or provide a lower-level quality of goods or services.
Under VCDPA, businesses are also required to publish a clear, easy-to-understand, and easily-accessible Privacy Notice for consumers on their websites.
- These Privacy Notices must include:
- The categories of personal data processed by the controller.
- The purpose for processing personal data.
- How consumers may exercise their data subject rights.
- The categories of personal data that the controller shares with third parties.
- The categories of third parties with whom the controller shares personal data.
Work with your legal team to ensure that all of the necessary information is included in your business' online Privacy Notice.
VCDPA also requires businesses to enter data processing contracts between data processors or entities that “process personal data on behalf” of your company. An example of a data processor is a third-party SaaS vendor that processes and stores data for your business.
These contracts must dictate the terms of how the processor processes the personal data your business collects. They must also include the purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both controllers and processors.
If your business works with processors or subcontractors that process data on your behalf, be sure to enter a legally binding data processing contract with each of them.
Businesses must also create and document data protection assessments (DPAs)to weigh the benefits and assess the risk of certain processing activities. This includes:
- The processing of personal data for purposes of targeted advertising.
- The sale of personal data.
- The processing of personal data for purposes of profiling.
- The processing of sensitive data.
- Any processing activities involving personal data that present a heightened risk of harm to consumers.
The processing of de-identified data must also be included in these assessments. If a processing risk has been identified after conducting DPAs, business must take measures in reducing the risks of processing to consumers. They must also document these measures and safeguards to demonstrate compliance.
The Attorney General of Virginia can also request a DPA to determine compliance. Make sure you’re ready for Virginia’s regulators by documenting DPIAs every time there’s a change in your business’ processing activities.
Virginia’s privacy law contains specific instructions for processing de-identified data. Businesses that process de-identified data must:
- Take reasonable measures to ensure that the data cannot be associated with an individual.
- Publicly commit to maintaining and using de-identified data without attempting to re-identify the data.
- Contractually obligate any recipient of the de-identified data to comply with these provisions.
These rights do not apply to pseudonymous data if the business can show that any information necessary to identify the consumer is kept separately with technical and organizational controls.
If your business processes de-identified data, make sure it takes the appropriate steps to ensure these safeguards are in place.