Unlock free shipping with $35 orders

The Virginia Consumer Data Protection Act (VCDPA)

I. VIRGINIA RESIDENTS: Summary Of Consumer Rights Under The Virginia Consumer Data Protection Act (“VCDPA”).  

 

A. Overview

The Virginia Consumer Data Protection Act, Va. Code §59.1-575, et seq. (“VCDPA)” took effect on January 1, 2023 and grants new privacy rights to Virginia consumers, including:

  • The right to confirm whether or not a company is processing the consumer’s Personal Information and to access such Personal Information;  
  • The right to delete Personal Information held by businesses and by extension, a business’s service provider;
  • The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company);
  • The right to correct inaccurate Personal Information, taking into account the nature of the Personal Information and purpose of the processing;
  • The right to opt out of the processing of Personal Information for purposes of (1) targeted advertising, (2) the sale of Personal Information, and (3) profiling in furtherance of decisions that produce legal or similarly significant effects on the consumer;
  • The right to prevent the use and disclosure of  sensitive personal information by requiring consumer opt-in;
  • The right to appeal a company’s decision to deny a consumer’s request to exercise their consumer rights; and
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under the VCDPA.

A covered business must disclose and deliver the Personal Information the business collected about the consumer in response to a verifiable consumer request.

For purposes of the VCDPA, “Personal Information” does not include:

  • Publicly available information;
  • De-identified or aggregated consumer information; or
  • Information excluded from the VCDPA's scope, such as:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
    • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) and the Driver's Privacy Protection Act of 1994.

 A further summary of consumer rights provided by the VCDPA follows.

B. Right to Access. 

Virginia consumers have a right to (1) confirm whether or not a business is processing the consumer’s personal data and (2) access such data. See below Section II for additional information on how to submit a request to access your Personal Information.

C. Right to Correct Inaccurate Personal Information.

Virginia residents have the right to request that a business that maintains inaccurate personal information about the consumer correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information. A business must use commercially reasonable efforts to correct inaccurate personal information as directed by the consumer.           

 

D. Right to Deletion.  

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our Service Providers to delete) your Personal Information from our records, unless an exception applies.

However, the VCDPA provides for certain exceptions to the Right to Deletion. We may deny your deletion request if retaining the information is necessary for us or our Service Providers to:

  1. To comply with federal, state, or local laws, rules, or regulations.
  2. To investigate, establish, exercise, prepare for, or defend legal claims.
  3. Cooperate with law-enforcement agencies concerning conduct or activity that we reasonably and in good faith believe may violate federal, state, or local laws, rules, or regulations.
  4. Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract.
  5. Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another natural person, and where the processing cannot be manifestly based on another legal basis.
  6. Prevent, detect, protect against, or respond to security incidents, identify theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report or prosecute those responsible for any such action.
  7. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement if you previously provided informed consent.
  8. Debug products to identify and repair errors that impair existing intended functionality.
  9. Effectuate a product recall.
  10. Conduct internal research, develop, or improve or repair products, services, or technology.
  11. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

 

E. Right to Portability  

Virginia consumers may obtain a copy of their Personal Information that the consumer previously provided to a business in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another business without hinderance.

F. Right to Opt-Out.

Virginia consumers have a right to opt-out of the processing of their Personal Information for purposes of (1) targeted advertising, (2) the sale of Personal Information, and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. A business that sells consumers' Personal Information to third parties needs to provide notice to consumers thereof and those consumers have the right to opt out of the sale of their Personal Information. A business must provide a "Do Not Sell My Personal Information" link on its Internet homepage that links to an Internet webpage that enables a consumer to opt out of the sale or sharing of the consumer's Personal Information.

G. Sensitive Personal Information

You have the right to limit the Company’s use and disclosure of sensitive personal information to that which is necessary for providing products or services to you.  The Company cannot process sensitive personal information without your consent.

Sensitive personal information includes any private information that divulges any of the following:

  • A consumer’s exact geolocation;
  • A consumer’s racial or ethnic origin, or citizenship or immigration status;
  • A consumer’s religious beliefs;
  • A consumer’s mental or physical health diagnosis
  • A consumer’s biometric data;
  • Personal data collected from a known child; and
  • A consumer’s sexual orientation.

Publicly available information is not sensitive personal information under the VCDPA.

 

H. Right to Non-Discrimination.

A business must not discriminate against a consumer who exercises any of the consumer's rights under the VCDPA. However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the consumer by the consumer's data and may offer financial incentives to a consumer for the collection, sale, or deletion of Personal Information on a prior opt-in consent basis.

I. Right to Appeal.

Under the VCDPA, consumers have the right to appeal the Company’s decision to refuse to take action on a consumer request. A consumer must submit an appeal within a reasonable timeframe following receipt of the decision to refuse to process the consumer request. The Company will respond in writing to the consumer within 60 days of receipt of an appeal explaining any action taken or not taken in response to the appeal and an explanation for the decision.

To appeal the Company’s decision, submit a request to:

  • Click on this link to complete and submit the referenced web form;
  • Call us at 1-877-338-0644; or
  • Reach us by email or U.S. mail at:

 

Chosen Foods, LLC.

Attention: Privacy Officer

350 Camino de la Reina, Ste 400, San Diego, CA 92108 Privacy@chosenfoods.com

If you still disagree with the Company’s decision following the appeal, you can submit a complaint to the Attorney General.

 

J. Privacy Policy Requirements. 

A business must describe in its online privacy policy or in any Virginia-specific description of consumer privacy rights the following;

  • Consumers' rights under the VCDPA, including the consumer right to opt out of the sale of the consumer's Personal Information and a separate link to the "Do Not Sell My Personal Information" Internet Web page;
  • The methods for submitting and verifying consumer requests; and
  • A list of the categories of Personal Information that the business has collected about consumers, sold about consumers, and disclosed about consumers for a business purpose in the preceding 12 months.

II. VIRGINIA RESIDENTS: How To Make A VCDPA Consumer Rights Request.

A. Instructions for Submitting a VCDPA Consumer Rights Request to Us. 

If you wish to exercise any of the VCDPA consumer rights summarized above, such as a Request to Know or a Request to Delete Personal Information, you can do so in one of the following ways:

  • Click on this link to complete and submit the referenced web form;
  • Call us at 1-877-338-0644 or
  • Reach us by email or U.S. mail at:

Chosen Foods, LLC.

Attention: Privacy Officer

350 Camino de la Reina, Ste 400, San Diego, CA 92108 Privacy@chosenfoods.com

 

Upon receiving a verifiable Request to Know or a Request to Delete, we will confirm receipt of the request within ten (10) days and provide some information about how we will verify and handle the request, and by when you should expect to receive a response.

 

Please note that you may only make a verifiable consumer request under the VCDPA two times within any 12-month period.

 
B. Verification Of The Person Making A Consumer Rights Request.

Of course, we need to be reasonably sure that the person making the request is actually you! So, we may need some information from you to verify that you are the person whose Personal Information you are asking to know about or to delete. Accordingly, the verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

 

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.  Making a verifiable consumer request does not require you to create an account with us.  We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

 

 

C. Response Timing and Format. 

We will try to respond to a verifiable consumer request within forty-five (45) days of its receipt.  If we need more time (up to 90 days), we will inform you of the reason and extension period in writing.  If you have an account with us, we will deliver our written response to that account.  If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.  Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. 

If you are making a Request to Delete your Personal Information, we will re-confirm with you that you really want your information deleted after verifying your request.

If we cannot respond to or comply with your Request to Know or Request to Delete, say because we cannot verify your identity or because an exception applies, we will explain the reasons we cannot comply with your request.  For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.