Our products enable customers to comply with the requirements of the Virginia Consumer Data Protection Act (the “VCDPA”). The VCDPA took effect on January 1, 2023; however, prior to initiating any action under the VCDPA, the Virginia Attorney General will provide written notice of any violations, and organizations that cure the violation within thirty days will not be subject to an enforcement action.

The VCDPA, very generally, requires businesses to:

• Provide transparent notices on how they collect, use, and sell data.
• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer.
• Respect a consumer’s right to request information and access their personal data.
• Respect a consumer’s right to request erasure or correction of their personal data.
• Respect a consumer’s right to opt out of data selling, targeted advertising, or certain kinds of profiling.
• Take certain precautions when processing sensitive data or children’s data.
• Implement and maintain reasonable security measures to protect personal data.
• Conduct and document data protection impact assessments for processing of personal data that presents a heightened risk of harm to consumers.
• Take certain measures with respect to protecting de-identified and pseudonymous data.

The VCDPA applies to for-profit organizations doing business in Virginia that: (a) control or process personal data of 100,000 or more consumers during a calendar year, or (b) control or process the personal data of 25,000 or more consumers and derive over 50% of gross revenue from the sale of personal data.

The VCDPA does not apply to nonprofits. Additionally, the VCDPA excludes certain types of data, such as patient identifying information under HIPAA and personal data regulated by FERPA.

Please consult with your organization’s legal counsel to determine your compliance obligations under the VCDPA.

When Blackbaud receives customers’ constituent data in connection with the Blackbaud Solutions, we are acting as a service provider. If we receive an access request, an opt-out request, or a request to delete or correct from a consumer regarding personal information that we collect or hold on a customer’s behalf, we will inform the consumer that it should submit the request directly to such customer.

Many of the VCDPA requirements are to be fulfilled by the organization outside of our solutions. We have provided instructions on how an organization can correct, delete, or de-identify personal data within a solution and query data in a solution to respond to access requests. See the Product Documentation section of this site for information on how to accomplish these tasks in your solution.

For solutions that provide an organizational homepage to a customer, you can include and self-title a hyperlink at the bottom of the homepage that will link to your site for handling privacy requests. In addition, such homepage will respect the opt-out preference signal Global Privacy Control.

Solutions containing constituent records will allow customers to flag constituent records as having opted out of sale or targeted advertising.

Our solutions that collect data directly from your constituents will allow you to include a link directly to your organization’s privacy notice. Where needed, you can provide certain information to a constituent at the time the data is collected by linking to the specific section in your privacy notice that contains this information.

We have made changes here at Blackbaud for our own compliance with the VCDPA, particularly with respect to our Data Intelligence business. We have prepared new privacy notices, implemented mechanisms for individuals to submit expanded consumer rights requests, and readied our engineers to create robust subject access reports upon request. Blackbaud acts as a data controller when it provides Data Intelligence services, including Target Analytics®, and accordingly will comply with Virginia consumers’ access requests, deletion requests, correction requests, and opt out requests. Individuals who opt out of the sale of their data will be excluded from the data sets we use for customer data enrichment services.

While the information provided above is reliable, it does not constitute legal advice and should not be construed as legal advice or a legal opinion on any specific facts or circumstances.