Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA) was the second US state privacy law to come into effect and shares many similarities with the CCPA. It is designed to give Virginia residents more control over their personal data and impose specific obligations on businesses that handle such data.

The VCDPA applies to businesses that meet at least one of the following criteria:

• Conduct business in Virginia or produce products or services targeted to Virginia residents.
• Control or process the personal data of at least 100,000 Virginia-based consumers during a calendar year or
• Derive over 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

Unlike other US states’ privacy laws, it does not prescribe a gross revenue in a calendar year threshold.

VCDPA Guidelines

Under the Virginia Consumer Data Protection Act, Virginia residents have the right to:

• Access their personal data.
• Correct inaccuracies in their personal data.
• Delete their personal data.
• Obtain a copy of their personal data in a portable format.
• Opt out of the processing of their personal data for targeted advertising and the sale of their data.

Businesses that meet the criteria for VCDPA must:

• clearly disclose their data collection, processing, and sharing practices in a privacy notice.
• conduct assessments to determine and mitigate risks associated with their data processing activities.
• implement reasonable security measures to protect personal data.
• enter into contracts with data processors, ensuring that they also comply with VCDPA requirements.
• seek explicit consent for the processing of sensitive data, such as data revealing racial or ethnic origin, health information, or sexual orientation.

How Finite State Helps You Comply with the VCDPA

Finite State can complement your data protection efforts by strengthening your data security capabilities, particularly by: 

• Enforcing Secure Coding Practices: Seamless integrations into existing CI/CD pipelines automatically analyze source code and compiled binaries for common security vulnerabilities and coding errors. This allows engineers to identify vulnerabilities hidden deep within legacy code and third-party libraries and detect and address issues early in the development process.
• Real-Time Threat Detection: Integrations with vulnerability databases provide up-to-date information on the latest threats and exploits, allowing for the proactive identification of potential risks before they can be exploited.
• Automate Vulnerability Identification: Using our advanced binary and source code SCA, vulnerabilities can be identified as they’re introduced across the SDLC to help teams keep applications secure.
• Comprehensive SBOM Solutions: Automatically generate Software Bill of Materials throughout the SDLC and easily compile detailed information on all components in your products, including open-source libraries, third-party dependencies, and custom code to improve transparency and identify potential security risks in your software supply chain.

Strong cybersecurity requires a collective effort. Talk to the team today to discover how Finite State can help you comply with the VCDPA.