Can I ensure that my company is compliant with expanding privacy protections in Virginia? What are the requirements?

To ensure that your company is compliant with expanding privacy protections in Virginia, you must adhere to the requirements outlined in VACV 2.2-3803. This includes collecting, maintaining, using, and disseminating only personal information permitted or required by law, establishing categories for maintaining personal information, maintaining information in the system with accuracy and completeness, and establishing appropriate safeguards to secure the system from any reasonably foreseeable threat to its security. Additionally, every public body with an internet website associated with that public body must develop an internet privacy policy and statement that explains the policy to the public, which must be consistent with the requirements of this chapter ^[1.1].

Starting January 1, 2023, a controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data: 1. The processing of personal data for purposes of targeted advertising; 2. The sale of personal data; 3. The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers; 4. The processing of sensitive data; and 5. Any processing activities involving personal data that present a heightened risk of harm to consumers. Data protection assessments conducted pursuant to subsection A shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks ^[4.1].

In addition to the above, private security services licensed businesses are required to maintain administrative requirements and standards of conduct as determined by the Code of Virginia, department guidelines, and this chapter ^[2.1][2.2].

For more information on general requirements for preparation of disclosure documents, including electronic disclosure, refer to 21 VAAC 5-110-80 ^[3.1].

Source(s):

• [1.1] Administration of systems including personal information; Internet privacy policy; exceptions
• [2.1] General requirements
• [2.2] Business administrative requirements
• [3.1] General requirements for preparation of disclosure documents; master franchises; electronic disclosure
• [4.1] (Effective January 1, 2023) Data protection assessments

Jurisdiction

Virginia

• Privacy