Can I store personal information about my customers in Virginia? What are the requirements?

Yes, you can store personal information about your customers in Virginia, but there are specific requirements that must be followed.

Requirements for Storing Personal Information

According to VACV 2.2-3803, any agency maintaining an information system that includes personal information shall collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency. The agency must establish categories for maintaining personal information to operate in conjunction with confidentiality requirements and access controls. The agency must maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to ensure fairness in determinations relating to a data subject. The agency must maintain a list of all persons or organizations having regular access to personal information in the information system. The agency must maintain for a period of three years or until such time as the personal information is purged, whichever is shorter, a complete and accurate record, including identity and purpose, of every access to any personal information in a system, including the identity of any persons or organizations not having regular access authority but excluding access by the personnel of the agency wherein data is put to service for the purpose for which it is obtained. The agency must establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security.

Sale of Purchaser Information

According to VACV 59.1-442, no merchant shall sell to any third person information that concerns the purchaser and that is gathered in connection with the sale, rental, or exchange of tangible personal property to the purchaser at the merchant’s place of business without giving notice to the purchaser. If requested by a purchaser not to sell such information, the merchant shall not do so. No merchant shall sell any information gathered solely as the result of any customer payment by personal check, credit card, or where the merchant records the number of the customer’s driver’s license or other document issued under Chapter 3 (§ 46.2-300 et seq.) of Title 46.2 or the comparable law of another jurisdiction.

Conclusion

Based on the above information, it is possible to store personal information about customers in Virginia, but there are specific requirements that must be followed. Agencies must collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency. Merchants must give notice to the purchaser before selling any information that concerns the purchaser and that is gathered in connection with the sale, rental, or exchange of tangible personal property to the purchaser at the merchant’s place of business.

Please note that this is not an exhaustive list of all the requirements for storing personal information about customers in Virginia. It is recommended that you consult with a legal professional to ensure that you are in compliance with all applicable laws and regulations.

Jurisdiction

Virginia

• Privacy