Following in California’s footsteps, Virginia recently passed its own comprehensive consumer data privacy legislation, the Consumer Data Protection Act (CDPA). CDPA introduces a new set of data rights for consumers in Virginia while also creating new obligations for businesses. As the second comprehensive state privacy law in the United States, the CDPA’s passage is a significant milestone in the country’s privacy regulations.
Defining Scope and Personal Data
CDPA “applies to all persons that conduct business in Virginia and either: control or process personal data of at least 100,000 consumers or derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.”
Unlike the California Consumer Privacy Act (CCPA), CDPA involves no revenue threshold to establish compliance obligation, but it does include a number of significant exemptions. While CCPA only exempts the data that is subject to most existing U.S. sectoral privacy laws, CDPA exempts employee-related data as well as the actual entities that are subject to those sector-specific laws, even if the activity is not within the scope of those regulations. Financial institutions and health care organizations, for example, will likely have no obligation to comply with CDPA.
The law defines “personal data” broadly as any information that is “linked or reasonably linked to an identified or identifiable natural person.” Publicly available information and de-identified data—information that “cannot reasonably be linked to an identified or identifiable natural person [or] a device linked to such person”—does not constitute personal data.
CDPA also expands California’s definition of personal data to include “sensitive data,” which echoes GDPR’s “special categories of personal data.” Among other categories, this covers: race, religion, sexual orientation, biometric data, mental or physical health diagnosis, personal data collected from a known child, and precise geolocation.
Data Rights for Consumers
The CDPA provides Virginian consumers with six main data rights:
- Right to access: Consumers have the right to confirm whether or not a business is processing their personal data, and to access such personal data.
- Right to correct: Considering the nature of the personal data and the purposes of the processing, consumers have the right to correct inaccuracies in their personal data.
- Right to delete: Consumers have the right to delete personal data they have provided or that a company has obtained.
- Right to portability: Consumers have the right to obtain a copy of their personal data in a portable format that enables them to transmit the data to another business without hindrance.
- Right to opt-out: Consumers have the right to opt-out of the processing of personal data for purposes of targeted advertising, the sale of data and certain types of profiling.
- Right to appeal: Businesses must respond to a consumer request within 45 days of receipt. If the appeal is denied, the controller must inform the consumer how they can submit a complaint to the state attorney general.
In addition to establishing these six data rights, the CDPA establishes several additional obligations for organizations that collect or use the data of individuals in Virginia, including:
- Collection limitation: CDPA limits the collection of personal data to that which is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.”
- Use limitation: Once data has been collected, a business must refrain from processing data for purposes that are not “reasonably necessary” or are incompatible with the disclosed purpose for data processing, unless consent is obtained.
- Technical safeguards: Businesses must “implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.”
- Data protection assessments: Data controllers must conduct data protection assessments that evaluate the risks associated with certain activities, like targeted advertising or processing sensitive data.
- Data processing agreements: CDPA requires agreements between controllers and processors that “clearly set forth instructions for processing data, the nature and the purpose of the processing, and the rights and obligations of both parties.”
- Transparency requirements: The CDPA contains a provision requiring controllers to provide consumers with a privacy policy that states the categories of personal data processed, the purpose for processing, details for appeal and third-party information.
Enforcement and Effective Date
Unlike CCPA, CDPA includes no private right of action, so individuals are not able to directly sue companies that violate the regulation. Instead, Virginia’s attorney general has the exclusive authority to enforce violations of the law. The law provides a 30-day cure period for any infractions, after which the attorney general’s office can seek damages of up to $7,500 per violation.
The law will go into effect on January 1, 2023, the same day as the California Privacy Rights Act (CPRA), which updates and furthers the CCPA. While companies may already be in compliance with CCPA and many are actively working to prepare for the upcoming CPRA, companies should also now focus on preparing for CDPA.
First, it is critical to create a compliance plan. This will vary depending on your organization’s size, complexity and business model. While CDPA has certain unique requirements, organizations that already have solid efforts underway for CCPA and GDPR compliance may face a minimal lift to meet these obligations as well.
Second, know your data. With every new piece of privacy legislation, companies face the practical challenge of truly knowing their data. Traditional manual approaches to data discovery cannot identify all of an organization’s data. Companies should consider investing in automated tools to ensure accurate discovery and classification of personal and sensitive data, and to act quickly on consumer requests.
Third, enable end-to-end data rights. Given the breadth and variety of data rights from different laws, automation of data rights will become essential. Major privacy laws and the growing number of proposed state bills have all but necessitated this trend. Businesses need to automate the process from intake to fulfillment to create a stronger privacy management program.
As state and federal authorities continue to focus on regulating data privacy and security, companies will need mature strategies to monitor these developments and meet compliance obligations.