Growing Privacy Laws in the US: Adding Virginia’s CDPA
On March 2, 2021, Virginia became the second state in the United States—and the first state on the East Coast—to pass a data privacy law. The Consumer Data Protection Act, or CDPA, brings together concepts from both the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR). Virginia’s new law is tailored to avoid many of the problems that both CCPA and GDPR encountered in development and implementation by incorporating narrower definitions that clearly exclude the categories of data and businesses where there was (and still is) some confusion with respect to CCPA and GDPR compliance.
What does all of this mean to businesses that have been trying to comply with evolving regulation in the space since GDPR went into effect in 2018? Let’s take a look at some key points from CDPA and see where companies may need to enhance their privacy policies and processes.
CDPA: The Key Points
Consumer Rights:
- Right to Know: Consumers will have the right to know whether or not a business is processing their personal information.
- Right of Access: Consumers will have the right to access their personal information, and to obtain a copy of it in a readily useable format (to the extent “technically feasible”).
- Right to Correct Inaccuracies: Consumers may request that inaccuracies in their personal information be corrected by the business, taking into account the nature of the information itself and the purposes of the business’ processing of the consumer’s information.
- Right to Data Portability: Consumers will have the right to obtain a copy of their data from the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller.
- Right to Opt Out: Virginia Consumers will have the right to opt out of several different uses of their personal information:
- Targeted advertising
- The sale of their personal information
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
Consumer Rights Response Time and Obligations:
Businesses that are subject to the Virginia CDPA must respond to requests by consumers to exercise these rights without “undue delay” and in all cases within 45 days of receipt, with an additional 45-day extension available if reasonably necessary for the business to comply. If a business needs the additional extension, it still must respond to the consumer during the first 45-day period and provide the reason for the delay.
Should a business decline to respond to a consumer request, such as when the business cannot authenticate the consumer’s identity, or if the data requested is not of a nature that is subject to the statute (like employment data), the business may decline to take the action requested by the consumer. In that case, the business must provide the reason for declining and instructions about how to appeal that decision, all within 45 days of receipt of the initial request from the consumer. Any appeal must be decided within 60 days of receipt, and a written explanation must be provided to the consumer together with a method (online or otherwise) for the consumer to contact the Attorney General to submit a complaint.
Data Processing Obligations:
The CDPA sets out several obligations similar to GDPR for businesses processing personal data. These obligations include:
- Data Minimization: Businesses must limit the collection of personal data to “what is adequate, relevant, and reasonably necessary” in relation to the purpose for the data processing.
- Purpose Limitations: Businesses must process personal data only for purposes reasonably necessary or compatible with the purposes disclosed in the business’ privacy policy.
- Security Controls: Businesses must establish, implement, and maintain “reasonable administrative, technical, and physical data security practices” to protect the confidentiality of personal data.
- Consent: Businesses must obtain express consent from consumers when the business processes sensitive data or deviates from the purposes disclosed within the business’ privacy policy.
- Data Protection Assessments: Businesses must conduct data protection assessments (DPAs) to evaluate the risks associated with the following data processing activities:
- The sale of personal data
- When processing sensitive personal data
- When processing personal data for targeted marketing purposes
- When processing personal data for profiling purposes
- Instances where processing presents a heightened risk of harm to consumers
Data Controllers and Data Processors:
Just like GDPR and CCPA, Virginia CDPA reiterates that “controllers” are fully responsible for their “processors.” This requires that there is a contract in place between a company and all of their vendors who share or sell data between each other, and that it must include, at a minimum, provisions that address:
- The type of personal data to be shared
- Instructions detailing the processing done by the recipient of the personal data
- The duration of the processing
- A duty to maintain the confidentiality of the personal information by both parties
- An obligation that the processor delete or return the data to the controller at the end of the services unless the processor is legally required to retain it
- A right of the controller to assess the processor’s policies (itself, or by using a designated assessor) and technical and organizational measures with respect to compliance with the Act—effectively an audit/diligence provision—and the right of the controller to receive a report on same requiring the processor to flow these obligations to downstream vendors and subcontractors.
While this law was passed in 2021, Virginia’s CDPA will not be enforced until January 2023, giving the state ample time to outline and update exceptions to the law. Even the regulations listed above could be subject to change over the next year and a half before the compliance mandate is fully enforced. What I have not stated here are the exemptions to the law. That is because these all are subject to change and most likely will, prior to the CDPA enforcement date of January 2023.
Know Your Data
As you can tell, Virginia’s CDPA is continuing the trend of requiring organizations to know their data. If you want to be able to properly protect data and provide consumer rights, all while providing the best services possible, it’s imperative to know the five W’s of your data: Who, What, Why, When, Where, and one H, How. Furthermore, CDPA is attempting to make Privacy laws more understandable and more easily leveraged by consumers. This includes items such as highlighting ways to opt out of consent and / or processing, as well as how to contact the Attorney General if required. This may lend itself to not only an increase in CDPA consumer requests, but also increases in both GDPR, and CPRA data subject access requests, since those privacy notices could also be updated and simplified as well.
I do believe the announcement of Virginia CDPA will reignite the Data Privacy and Security focus, enabling teams impacted to refocus their efforts and potentially expand funding for their initiatives. CDPA is further proof that Data Privacy doesn’t stop at California, or Virginia, or any other state for that matter. If they haven’t done so already, organizations should begin incorporating data discovery, data classification, data minimization, records of data processing activities, and data protection assessments as part of their everyday processes and controls.
Find out PKWARE can help you achieve and maintain compliance. Request your free demo now.