Virginia governor, Ralph Northam, signed the Consumer Data Protection Act (CDPA) on March 2nd, 2021, underscoring the current of new privacy regulations circulating state legislatures. The passage of CDPA exemplifies the appetite across the country for increased user privacy; however, void of national action, states are left to create their own disparate laws.
Distinct state laws are not uncommon, but given the cross-national nature of the internet, most large organizations are required to abide by every local privacy regulation. While privacy laws, such as the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), and now the CDPA, have large overlaps in policy, each contain their own distinct verbiage and protections. These minor differences prove to be a headache to compliance managers as they navigate the increasingly complicated privacy landscape.
To that end, this post will explore the ways Virginia’s CDPA will affect the overall privacy topography, addressing the scope of CDPA coverage, consumer protections, and compliance requirements.
Scope of CDPA Compliance
How does CDPA define personal information?
Similar to other privacy regulations, the focus of coverage is centered on information that can be used to identify the user, specifically, CDPA applies to “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Notably, this does not include de-identified or publicly available information.
What organizations will be forced to comply?
CDPA protects Virginia residents from organizations that deal in personal information. Accordingly, CDPA affects any business located in or who conducts business with Virginia. Narrowing that further, CDPA only applies to businesses that either “control or process personal data of at least 100,000 consumers” or “control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data” within any given calendar year.
How and when will CDPA compliance be enforced?
CDPA is not slated to take effect until the first of January 2023, giving organizations just under two years to prepare their compliance strategy. Virginia lawmakers wanted to ensure that CDPA focused on compliance over profit, so organizations deemed non-compliant will only be prosecuted after a 30-day correction period. Further, unlike California’s CCPA, legal action can only be taken by the Virginia Attorney General.
Protected CDPA Consumer Rights
For those familiar with the privacy landscape, the six consumer rights outlined in CDPA will echo that of other regulations, in that Virginians will have the...
Right to access
Virginia residents can request that organizations share what personal information of theirs is being stored and how it is being processed.
Right to rectification
If a user’s private information is incorrect, they also have the right to make companies correct their records.
Right to deletion
Alternatively, if the resident prefers, they can also request that their personal data be permanently deleted.
Right to data portability
Given that sensitive data is inherently owned by the subject, the right to data portability allows individuals to obtain their personal information from a controller and use it for their own purposes.
Right to opt-out of data processing
The right to opt-out of processing means that individuals can choose to not have their personal data sold or used for targeted advertising and profiling.
Right not to be discriminated against
Lastly, Virginians are ensured that their privacy choices will not result in organizations “denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services.”
Organizational CDPA Compliance Requirements
Outside of complying with the above user rights, businesses subjected to CDPA compliance must undergo other efforts to mitigate the risks of storing sensitive information, including:
In general, CDPA requires businesses to limit their personal data collection to only what is “adequate, relevant, and reasonably necessary." Essentially, CDPA asks that organizations do not ingest or retain superfluous sensitive information.
Limit data processing
In that same vein, businesses cannot process personal data unnecessarily, restricting all data processing to only what is required and outlined in their consumer consent form.
Establish data security practices
New to the privacy landscape, CDPA requires businesses to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” While there are no benchmarks listed in the legislation as to what cybersecurity is required, it does mention that the degree of security is dependent on the “volume and nature of the personal data.”
Conduct data protection assessments
CDPA also mandates organizations assess their data processing risks by conducting data protection assessments for each of their processing activities, such as targeted ads, personal information sales, and customer profiling.
Acquire user consent
No business under CDPA will be allowed to process sensitive information without first obtaining explicit user consent.
Complications with CDPA Compliance
As with any privacy regulation, the act of CDPA compliance may be more complicated than expressed in legislation. For example, complying with such regulations paradoxically requires organizations have complete control over personal data, which forces private information to be found and highlighted when it may have otherwise been kept in the dark. Isolating personal information without focusing on sensitive materials additionally falls outside the existing technological capabilities of many organizations.
As a user, very few people want their personal information to be exploited. However, personal data can be incredibly valuable—both economically and socially. Notably, public access to sensitive information has been used to accelerate COVID vaccine discovery and used to curate a more enjoyable internet experiences across the spectrum of social media, shopping, and streaming. The challenge ahead will be learning how to incorporate the benefits of data processing without the cost to individuals’ privacy—effectively, taking the “personal” out of “personal data.”