When a Privacy Policy Is Not Enough: Website Compliance Issues for Virginia Companies

When a Privacy Policy Is Not Enough: Website Compliance Issues for Virginia Companies

Cybersecurity & Privacy By Valley Legal

General Information Only. This article is for general informational purposes and does not constitute legal advice. Laws may have changed since publication. Your situation may differ; consult a licensed Virginia attorney about your specific matter.

The information in this article is for general informational purposes only and does not constitute legal advice. Laws change and individual circumstances vary. Consult a licensed Virginia attorney about your specific situation. Reading this article does not create an attorney-client relationship nor does merely contacting our office through this website or any other means.

When a business learns it needs a privacy policy, the typical response is to find a template, customize it with the company name, post it on the website, and consider the matter closed. That approach was inadequate before Virginia enacted the Consumer Data Protection Act, and it is substantially more inadequate now.

A privacy policy is a legal disclosure document, but it is only one component of a functional privacy compliance program. The gap between having a privacy policy and being in compliance with Virginia and federal law is often significant. For businesses in Christiansburg, Blacksburg, and the New River Valley that want to understand where that gap might exist, this article describes the most common areas where a posted policy is not enough.

The VCDPA Creates Operational Requirements, Not Just Disclosure Obligations

The Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-571 et seq., requires covered businesses to do more than publish a privacy notice. It imposes operational obligations that require systems, processes, and staff capable of carrying them out.

Consumer Rights Request Handling

Virginia consumers have the right to access, correct, delete, and obtain a copy of their personal data. Covered businesses must respond to authenticated consumer requests within 45 days, with a possible 45-day extension if the business notifies the consumer and explains the reason for the delay.

A privacy policy that lists these rights means nothing if the business has no system for receiving requests, no process for authenticating who is making the request, and no workflow for actually retrieving, correcting, or deleting the data within the required timeframe.

Many businesses that have published VCDPA-compliant privacy notices have never received a consumer rights request. That does not mean their systems for handling such requests are adequate. It means they have not been tested. When a request arrives, particularly if it is contested or involves a customer complaint to the Attorney General, the business’s ability to demonstrate a functioning compliance program becomes important.

Opt-Out Mechanisms That Actually Work

The VCDPA gives consumers the right to opt out of:

  • The sale of their personal data
  • Targeted advertising
  • Profiling that produces legal or similarly significant effects

Complying with these opt-out rights requires more than adding an opt-out link to a privacy policy page. Businesses must:

  • Provide a clear and conspicuous method for consumers to submit opt-out requests
  • Actually stop the processing activity in response to a valid opt-out (stopping targeted advertising means configuring advertising systems to exclude that consumer)
  • Honor Global Privacy Control (GPC) signals, which are browser-based opt-out signals that consumers can enable to automatically communicate opt-out preferences to websites

The GPC requirement is particularly demanding because it operates at the technical level. A business that has written an opt-out process into its privacy policy but has not configured its website to recognize and respond to GPC signals is not complying with that requirement, regardless of what the policy says.

Data Processing Agreements

Businesses subject to the VCDPA that share personal data with vendors must have data processing agreements (DPAs) in place. A privacy policy that describes data sharing arrangements is not a substitute for the contractual agreements the law requires with each processor.

The Gap Between Your Privacy Policy and Your Actual Practices

One of the most common and most serious compliance failures is a discrepancy between what a privacy policy says and what a business actually does.

The Federal Trade Commission has made deceptive privacy policies a priority enforcement area. Under Section 5 of the FTC Act, representing to consumers that you handle their data in a certain way, and then handling it differently, is a deceptive practice regardless of whether the misrepresentation was intentional.

Common discrepancies include:

  • Undisclosed third-party data sharing: The privacy policy says personal data is not sold or shared with third parties, but the website runs advertising pixels that send visitor data to advertising networks in exchange for advertising services.
  • Inaccurate data retention descriptions: The policy states that data is deleted after a specified period, but data is actually retained indefinitely in backups or analytics platforms.
  • Stale descriptions of data collection: The policy was written two years ago and does not reflect new features, integrations, or data collection practices that have been added since.
  • Cookie practices not reflected in the policy: The policy does not mention cookies or tracking technologies even though the website uses them extensively.

Each of these discrepancies is a potential FTC enforcement issue and, for VCDPA-covered businesses, a potential Attorney General matter.

Many Virginia businesses treat their cookie consent banner and their privacy policy as the same compliance tool. They are distinct.

A privacy policy is a comprehensive disclosure of your data collection and use practices across all contexts, including online and offline, over the full course of your customer relationships.

A cookie consent interface is a mechanism through which you inform users specifically about cookies and tracking technologies used on your website and, where required, obtain or honor their choices about those technologies.

Having a privacy policy does not satisfy your obligation to provide a functional cookie opt-out mechanism. Having a cookie banner does not replace the obligation to maintain an accurate, comprehensive privacy policy. Both must exist and both must be accurate.

Terms of Service vs. Privacy Policy

Terms of service and privacy policies serve different functions and should not be conflated.

A terms of service (or terms of use) document establishes the contractual relationship between the business and the user, including acceptable use rules, intellectual property rights, limitation of liability, dispute resolution, and similar provisions.

A privacy policy discloses how personal data is collected, used, and shared. Privacy policies are governed by privacy law. Terms of service are governed by contract law.

Attempting to handle privacy disclosures within a terms of service document is a common mistake that can create compliance gaps. Regulators and courts look for standalone privacy policies that are clearly labeled and readily accessible, typically from a link in the website footer.

FTC Enforcement on Deceptive Privacy Policies

The FTC has pursued enforcement actions against businesses of various sizes for deceptive privacy practices. Common themes in FTC complaints include:

  • Claiming not to share data with third parties while sharing data with advertising networks
  • Claiming data is de-identified or anonymous when it remains reasonably re-identifiable
  • Collecting more data than disclosed in the privacy policy
  • Failing to honor privacy choices communicated by users
  • Making material changes to privacy policies retroactively without notice to affected users

The FTC can impose significant civil penalties for COPPA violations and can impose substantial consent decree obligations on companies found to have engaged in deceptive practices. Consent decrees typically require ongoing compliance monitoring for 20 years and can include regular third-party audits.

Virginia Attorney General Enforcement Priorities

The Virginia Attorney General enforces the VCDPA. While the AG has not yet issued detailed enforcement priority statements comparable to those published by some state AGs, the general framework of VCDPA enforcement follows the pattern established during the law’s drafting: focus on meaningful consumer harm, with a preference for the cure period to resolve technical violations.

Businesses that receive a VCDPA violation notice from the AG have 30 days to cure the violation and provide a written statement certifying the cure. If the violation is genuinely cured, civil penalties may be avoided. This structure incentivizes having compliance processes in place before a complaint arrives, because the 30-day window is tight.

Businesses should monitor AG announcements and VCDPA-related legal developments for guidance on enforcement priorities as the law matures.

An Annual Privacy Review Process

Compliance is not a one-time project. A practical approach for Virginia businesses is to conduct an annual privacy review that addresses:

  • Data inventory update: Has your business begun collecting new types of personal data? Have you added new tools, platforms, or integrations that share data with third parties?
  • Privacy policy accuracy check: Review your privacy policy against your current actual data practices. Update the policy to reflect any changes.
  • Cookie audit: Scan your website to identify all tracking technologies currently deployed and compare against what is disclosed in your privacy policy.
  • Consumer rights process test: Simulate receiving a consumer rights request and trace it through your response process to identify bottlenecks.
  • Vendor contract review: Confirm that data processing agreements with vendors are current and compliant with VCDPA requirements.
  • GPC technical check: Test whether your website correctly recognizes and responds to Global Privacy Control browser signals.

Businesses in Christiansburg, Blacksburg, and throughout the New River Valley that conduct this kind of annual review are substantially better positioned to respond to a consumer complaint or Attorney General inquiry than businesses that treat a privacy policy posting as a complete compliance solution.

This article is general information only and is not legal advice. Do not rely on this article to make decisions about your specific situation. Contact Valley Legal or another licensed Virginia attorney to discuss your case. Attorney advertising.

Valley Legal, PLLC is located at 107 Pepper St SE, Christiansburg, Virginia 24073, and serves clients throughout the New River Valley of Virginia, including Montgomery County, Blacksburg, Radford, Pulaski, and surrounding communities.