Earlier this year, Virginia became the second US state (following California) to introduce a comprehensive privacy law – the CDPA. The state’s privacy law will come into effect on the same date as the California Privacy Rights Act (CPRA), January 1, 2023.
Here’s a (very brief) overview of Virginia’s Consumer Data Protection Act (CDPA):
Covered entities under the CDPA
The CDPA applies to entities that operate in Virginia or collect personal data from or about Virginia residents and that control or process the personal data of:
- At least 100,000 consumers within a calendar year; or
- At least 25,000 consumers and receive over 50% of gross revenue from the sale of personal data.
Unlike California’s legislation, the CDPA does not include an annual revenue criterion. Moreover, the CDPA defines a sale of personal data much more narrowly than California. Under the CDPA, a “sale” of personal information is defined as “the exchange of personal data for monetary consideration” while under California law, a sale is defined as an exchange for “monetary or other valuable consideration.”
Entities exempted under the CDPA
The CDPA also exempts five types of entities including (1) state agencies, commissions and other governmental bodies and political subdivisions, (2) financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), (3) businesses subject to the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH), (4) non-profits, and (5) higher education institutions.
Entity obligations under the CDPA
For those companies that fall within the scope of the new law, the CDPA requires covered entities to:
- Publish consumer-facing privacy policies.
- Limit collection of personal data to that which is ‘adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed’.
- Limit the use of collected data to that which is reasonably necessary and the purposes disclosed to consumers. Consent is required for any other use of the data.
- Develop and maintain technical safeguards, including reasonable administrative, technical, and physical data security practices.
- Undertake data protection assessments for sales, targeted advertising, and profiling activities to evaluate risk.
- Implement data processing agreements with vendors and service providers that outline instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
5 Action Items to Future-Proof Privacy Compliance
The Virginia privacy bill will likely apply to many companies. Meanwhile, lawmakers in Washington, New York, Minnesota, Connecticut, Mississippi, and Oklahoma are contemplating comprehensive privacy laws and the calls for a federal privacy bill are growing louder by the day.
The reality is that consumer privacy rights are going to continue to increase into the future. For companies, this presents an opportunity to overhaul current practices and turn privacy into a competitive advantage.
These 5 tips can help you step towards compliance with the CDPA, while strengthening your future privacy programs:
- Get a grasp on whether any of the data you handle is considered “sensitive” or “special” data. Increasingly privacy laws are imposing extra obligations on companies when they collect particular types of information considered to carry heightened risks. This includes data relating to children, racial or ethnic origin, or sexual orientation. For instance, the CDPA includes an affirmative consent or opt-in requirement in order to process sensitive personal data.
- Use privacy impact assessments (PIAs) as a business tool. While the GDPR and CDPA both require the use of privacy risk assessments in certain circumstances, it is good practice to simply undertake a PIA whenever your company introduces or changes data handling practices. You can read more about PIAs here.
- Confirm that you have appropriate contractual protections in place with your vendors and service providers. Like the European Union’s General Data Protection Regulation, the CDPA requires that a data processing agreement be in place before any data can be shared with a vendor or service provider who will have access to your data. A number of very specific terms must be included in this agreement. Review your relationships with outside parties and be sure that you have agreements in place where you need them.
- Implement data minimization practices. your company should collect data with purpose, limiting it to only what you need to achieve your objectives, and develop processes that ensure it is deleted as soon as it is no longer required. It is time to move away from collecting data for data’s sake.
- Ensure you have adequate cybersecurity measures in place. Privacy should be protected by robust technical mechanisms throughout its entire lifecycle before being securely destroyed. Cybersecurity is an essential element of this, but your staff represent your company’s largest privacy risk. You should develop ‘human error resistant’ privacy practices wherever possible, including reliance on access control measures, two-factor authentication, and regular staff training.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.