VCDPA compliance following on the heels of GDPR & CCPA compliance laws

Tally Netzer

Tally Netzer

Product Marketing Manager, K2View

After Europe’s GDPR and California’s CCPA, the latest data privacy law comes from none other than Virginia. In a unanimous voice, Virginia’s Senate passed the Virginia Consumer Data Protection Act (VCDPA), which will come into effect in 2023.

Welcome the VCDPA

Like data privacy regulations before it, VCDPA compliance involves residents’ privacy rights, including consent, access, removal, and more. The law offers strong protection for sensitive data like racial, religious, and medical information, and prevents companies from trading data, or profiling users, without conducting an adequate data protection assessment.

The VCDPA received its share of criticism. Groups like the Consumer Federation of America (CFA) and the Electronic Frontier Foundation (EFF) believe that the law fails to offer sufficient protection, and warn consumers not to trust any legislation supported by tech leaders like Amazon and Microsoft.

When we take a closer look, Virginia’s initiative can be very telling, and companies looking to prepare for the future of data privacy would be wise to take  VDCPA compliance into consideration.

Privacy laws are cropping up everywhere


Virginia may be the latest to announce new data privacy regulations, but it is most certainly not the last. Dozens of similar initiatives are well on their way, and we can expect an outpouring of data protection laws in the near future. Those who think that only “techie” states like California care about data privacy are learning that it is far from the truth.

With the change in administration, we can also expect a federal data protection law to take shape. This means that companies, which up until now thought they could avoid data protection compliance, must wake up. Sooner or later (but probably sooner), your business will be subject to regulatory requirements and it’s best to put the right compliance management software in place right now. And, if your company already has CCPA compliance software for Californian residents, this is a good time to verify that it will easily support VCDPA compliance as well

Show me the data - the case for automation

VCDPA compliance laws, like GDPR and other regulations, are focused on providing consumers with more control over their personal data, how it is processed, and whether sufficient protection measures are being taken. Processors and controllers have specific responsibilities related to users’ consent and subject rights. The demand for data protection makes it clear that companies are obligated, by law, to know where user data is stored and how it is being handled at any given moment – or in other words, take data privacy management seriously.

For many enterprises, this is a scary thought. It’s like being asked to provide a list of everything you shoved in messy storage units over the course of years. Companies will have to conduct a thorough data audit to find out where user information is stored (spoiler: everywhere) and organize quickly. Without the right VCDPA compliance software, with automated data discovery, this mission is close to impossible.

A whole new language for user privacy

You may have noticed that we keep comparing this new law to GDPR, CCPA, and other privacy regulations. That’s because VCDPA compliance legislation draws a lot of inspiration from existing laws. The structure, list of rights, and terminology were created based on the pioneers in the field, and every law that joins the party further supports these notions. Just like that, the data privacy glossary was formed and revolutionary concepts turned into an established truth. We now have a clear language around data privacy.

Going back to our first point in this article, this means that companies interested in preparing for unknown future regulations can turn to existing laws for guidance. They are likely to meet similar requirements as more laws are passed.

These advancements may seem intimidating to those that still need to determine their approach to data processing. But legislators aren’t the only ones moving quickly. Within a matter of weeks, companies can go from scattered data management procedures to a well-structured user-level processing methodology. And now is a great time to take the first step, in the right privacy compliance direction.