What the Virginia Consumer Data Protection Act means for you

How to exercise your rights under the Virginia Consumer Data Protection Act

The Virginia privacy law gives you a bit of control over how businesses collect and use your personal data. Here's how to take advantage.

A close up of a person's hands typing on a smartphone
Pexels user Katerina Holmes | Public Domain
Companies use smart phones to collect a lot of data on us.

Take Action

Phoebe Normandia

Intern, Don't Sell My Data campaign

The Virginia privacy law – called the Virginia Consumer Data Protection Act – passed in March 2021. It was the second state privacy law nationally, and went into effect January 1, 2023.

What is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act is a consumer privacy law that gives you some basic rights regarding how businesses collect, use and sell your data. Exercising those rights requires some work on your part. Let’s take a look.

What does the Virginia privacy law do for consumers?

The Virginia privacy law gives you several rights regarding your personal information:

  • Right to Access: You can request a copy of the personal information businesses have collected about you.
  • Right to Correct: You can request a business correct inaccuracies in the personal information it has collected about you.
  • Right to Delete: You can request a business delete the personal information it has collected about you.
  • Right to Opt Out: You can opt out of businesses selling your personal information to advertisers and other third parties.

To access, correct or delete your data, or opt out of data sales, you have to submit requests one at a time to individual companies. That means fully exercising your rights can be a pain. There are likely hundreds of third parties holding your information right now. 

How do I exercise my Virginia privacy law rights?

To exercise your other core rights – accessing, correcting or deleting the data a company has already collected on you – you must submit a request directly to each business. Companies must tell you how to send a request in their privacy policy.

Read: How to read a privacy policy

Where can I find instructions for exercising my rights in a privacy policy?

When looking at a privacy policy, search for a section titled “Your Privacy Rights,” “Your Rights and Choices,” or something similar. Use ctrl+f for the term “privacy”, “rights”, or “opt” to find this information more quickly. In this section, the business should give you instructions for how to access, correct, or delete your personal data. It will typically be a web form or an email address you need to send a request to.

If you run into problems during this process — like an invalid email address, or a web form where Virginia isn’t available in a dropdown menu — make sure to log a consumer complaint with the AG’s office. That way the AG knows which companies need a talking to.

What companies should I start with?

There are lots of companies that likely have your data. The worst actors are shadowy companies called data brokers that specialize in collecting, buying, combining, and reselling data that it bundles into profiles about you. They get data from all kinds of places and sell it to practically whomever is looking to buy. They’re terrible for your personal security.

We recommend starting with some of the biggest data brokers below. You can submit an access request if you want to see what data they have on you, or jump straight to deleting your data and opting out of future data collection.

Epsilon

Acxiom

LiveRamp

Oracle

How could the Virginia Consumer Data Protection Act be better?

The Virginia Consumer Data Protection Act gives you some rights to ask companies to delete your data. That’s good. It’d be even better, however, if less of the work of protecting your privacy was on you.

The best thing for consumers is to change how companies can collect and use data in the first place.

To maximally protect consumers, it should be on companies to only collect the data they need to deliver the service you’re expecting to get. There’s no good reason for your fast food loyalty app to be collecting your location 24/7 or your VR game app to be collecting your social security number. They plain don’t need it.

Companies should also be limited to only using the data they collect for what the consumer is expecting. There’s no good reason for your health app to turn around and sell your prescription information to advertisers or your child’s internet-enabled stuffed animals to be sending transcripts of your child’s conversations to third parties.

This matters for your personal security. The more data that companies collect, and the more companies they sell it to, the more likely it is that your personal information is going to be exposed in a breach or a hack and end up in the wrong hands. This makes it more likely you’ll be the victim of identity theft, financial fraud and hyper-targeted scams.

Like all of the state privacy laws on the books – the Virginia Consumer Data Protection Act has room for improvement. Virginia’s law currently earns a F grade on our recent scorecard report – co-authored with the Electronic Privacy Information Center (EPIC) – as it still puts too much work on consumers to protect themselves.

Every state that has passed a law has the opportunity to make it stronger. Instituting stronger upfront rules on how companies can collect and use data would improve the privacy and security of Virginians

We look forward to seeing how Virginia continues to strengthen its protections in the future. And in the meantime, folks should take advantage of their new rights.

What else can I do to protect my data?

Since your Virginia privacy rights are incredibly limited, we highly recommend taking other steps to protect yourself. We’ve got simple ways you can boost your data security here.

See below for even more tips to put you more in control of your information online.

Topics
Authors

Phoebe Normandia

Intern, Don't Sell My Data campaign

R.J. Cross

Director, Don't Sell My Data Campaign, U.S. PIRG Education Fund

R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.