What the Virginia Consumer Data Protection Act means for you

The Virginia privacy law – called the Virginia Consumer Data Protection Act – passed in March 2021. It was the second state privacy law nationally, and went into effect January 1, 2023.

What is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act is a consumer privacy law that gives you some basic rights regarding how businesses collect, use and sell your data.

The Virginia Consumer Data Protection Act earns a F grade on our recent scorecard report – co-authored with the Electronic Privacy Information Center (EPIC) – for how well it actually protects consumers. In fact, it tied Utah for second-worst in the nation. 

Virginia’s privacy law puts a lot of work on you if you want to stop companies from collecting and selling your data. It’d be better if instead companies were limited to what data they can collect on you and what they can do with it in the first place.

What does the Virginia privacy law do for consumers?

The Virginia privacy law gives you several rights regarding your personal information:

• Right to Access: You can request a copy of the personal information businesses have collected about you.
• Right to Correct: You can request a business correct inaccuracies in the personal information it has collected about you.
• Right to Delete: You can request a business delete the personal information it has collected about you.
• Right to Opt Out: You can opt out of businesses selling your personal information to advertisers and other third parties.

Most of these rights are too difficult to exercise. To access, correct or delete your data, or opt out of data sales, you have to submit requests one at a time to individual companies. Fully exercising the rights Virginia’s privacy law gives you would be like taking on a part-time job. There are likely hundreds of third parties holding your information right now. 

How do I exercise my Virginia privacy law rights?

To exercise your other core rights – accessing, correcting or deleting the data a company has already collected on you – you must submit a request directly to each business. Companies must tell you how to send a request in their privacy policy.

Read: How to read a privacy policy

Where can I find instructions for exercising my rights in a privacy policy?

When looking at a privacy policy, search for a section titled “Your Privacy Rights,” “Your Rights and Choices,” or something similar. Use ctrl+f for the term “privacy”, “rights”, or “opt” to find this information more quickly. In this section, the business should give you instructions for how to access, correct, or delete your personal data. It will typically be a web form or an email address you need to send a request to.

How could the Virginia Consumer Data Protection Act be better?

The Virginia Consumer Data Protection Act gives you some rights to ask companies to delete your data. It sounds nice, but really it puts the onus on you to become a data privacy expert in order to protect yourself. Even if you exercised all your rights perfectly, it still wouldn’t be enough to keep your information secure.

The best thing for consumers is to change how companies can collect and use data in the first place. It should be on companies to limit their data collection to only the data they need to deliver the service you’re expecting to get up front. There’s no good reason for your fast food loyalty app to be collecting your location 24/7 or your VR game app to be collecting your social security number. 

Companies should also be limited to only using the data they collect for what the consumer is expecting. There’s no good reason for your health app to turn around and sell your prescription information to advertisers or your child’s internet-enabled stuffed animal to be sending transcripts of your child’s conversations to third parties. 

This is a big deal. The more data that companies collect, and the more companies they sell it to, the more likely it is that your personal information is going to be exposed in a breach or a hack and end up in the wrong hands. This makes it more likely you’ll be the victim of identity theft, financial fraud and hyper-targeted scams. 

It’s absurd we haven’t stopped companies treating our data like a commodity. States can lead the way in amending the laws they’ve already passed to do more to protect consumers.

What else can I do to protect my data?

Since your Virginia privacy rights are incredibly limited, we highly recommend taking other steps to protect yourself. We’ve got simple ways you can boost your data security here.

See below for even more tips to put you more in control of your information online.

Social media privacy tips

How to request and download your Facebook data

How to request and download your Instagram data

Stop Instagram from harvesting so much of your data