In a significant development, a company has come under fire in Virginia for creating a ‘burdensome’ process for consumers to access their data. This instance reinforces that companies should take notice and care to make privacy compliance under VCDPA not only visible but easy to access for consumers. The Virginia Consumer Data Protection Act (VCDPA), enacted in 2021, aims to give residents greater control over their personal data. However, recent allegations against Socure, an identity verification company, highlight the challenges and subtleties businesses face in complying with these laws.

Del. Cliff Hayes, who championed the VCDPA, has raised concerns about Socure’s compliance with the act. “Virginians have a right to know under the law what information you gather and hold on them, and so far it appears you are actively attempting to make that information extremely difficult to obtain,” Hayes wrote. Unsatisfied by Socure’s response stating they do not see any disruption to Virginia consumers’ ability to access their data, Hayes has communicated his concerns to Virgina Attorney General Jason Miyares.

Hayes’ accusations underscore the difficulties companies encounter in ensuring full compliance while also maintaining security and operational efficiency.

Hayes’ Accusations Levied Against Socure

Del. Cliff Hayes has accused Socure, an identity verification company, of violating Virginia’s Consumer Data Protection Act (VCDPA). Hayes alleges that Socure’s process for handling consumer data requests is burdensome and discriminatory. Specifically, he claims that:

• Consumers receive a link to verify their identity and agree to Socure’s Terms of Use, which includes waiving rights to future class action lawsuits and agreeing to binding arbitration. If consumers do not agree to the terms, their data inquiry is canceled.
• Even those who agree to the terms face difficulties, as they receive their data in an encrypted email with a zip file, which can be hard to access, particularly for individuals who are not technologically proficient. Hayes argues this practice discourages access to information and discriminates against lower-income individuals.

The allegations against Socure illustrate the complexities of adhering to the VCDPA and highlight the difficulties companies face in balancing their own security measures with user accessibility. Ensuring compliance without adding barriers to consumer rights is a delicate task.

The Importance of Compliance Without Barriers

Under the VCDPA, businesses must not incorporate additional barriers that could prevent consumers from exercising their rights. This requirement is crucial because:

• Equity and Accessibility: All consumers, regardless of their technological proficiency or socioeconomic status, should have equal access to their data.
• Transparency and Trust: Transparent practices build consumer trust and demonstrate a company’s commitment to data protection.

However, achieving these goals can be challenging, especially when robust identity verification processes are necessary to prevent fraud. Companies must design systems that are both secure and user-friendly, ensuring their effort to achieve legal compliance does not inadvertently create obstacles for consumers.

Legislative Landscape and Its Impact on Businesses

The VCDPA is part of a broader legislative landscape that includes various state laws and federal guidelines. Understanding and complying with these laws is critical for businesses with key components to consider including:

• Governance Boards and Processes: Establishing a governance board to oversee data practices ensures that policies are followed and compliance is maintained over time.
• Evaluating Use Cases: Regularly assess the data collection and usage practices to ensure they align with legal requirements.
• Notice and Disclosure: Clearly communicate data practices to consumers, ensuring transparency.

As more states enact privacy laws, the complexity of compliance will only increase, highlighting the need for a comprehensive and adaptive approach to data protection.

Comply with current privacy laws and prepare for upcoming regulations with Truyo. The streamlined DSR intake process gives your users compliant and consumer-friendly options to exercise their data rights. If you have questions about how Truyo can help you automate your DSR responses and comply with VCDPA, reach out to hello@truyo.com.