Last Updated on June 29, 2021
The new Virginia Consumer Data Protection Act (CDPA) became law on March 2, 2021, making Virginia the second state after California to enact a comprehensive privacy law. While CDPA substantially resembles the California Consumer Privacy Rights Act (CPRA), its forerunner the California Consumer Privacy Act (CCPA) and other recent privacy legislation in terms of the rights it confers, it also has some unique aspects that could impact your compliance.
Perhaps most importantly, the CDPA’s scope of applicability differs from CPRA. It pertains to firms doing business in Virginia or with Virginia residents that either:
- Handle the personal data of 100,000 or more Virginia “consumers”
- Handle the personal data of at least 25,000 Virginia consumers and also derive 50% or more of their gross revenue from selling personal data
By not including a revenue threshold like CPRA, CDPA won’t automatically apply to large companies. Further, CDPA explicitly targets consumers and excludes employees’ personal data.
CDPA also exempts certain classes of organizations from compliance. These are:
- Entities subject to the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)—and this exclusion applies to all the data these entities collect, even data not regulated by HIPAA or HITECH
- Any financial institution or data that is subject to the Gramm-Leach-Bliley Act (GLBA)
- Any institution of higher education (IHE)
- All nonprofits
Another big exclusion within CDPA is the whole class of “publicly available information,” which it defines as “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information…”
For those that CDPA applies to, there are a few new twists. One is that “controllers” of covered data are mandated to conduct data protection assessments to evaluate the risks associated with their data processing activities. This applies to firms that either sell personal information (PI), use PI for targeted advertising, process PI for profiling in ways that could potentially harm consumers, process “sensitive PI,” or otherwise process PI in ways that increase consumers’ risk of harm.
That latter classification leaves considerable room for interpretation. It’s an open question how you would determine if this applies to your company or not. Another question is how often assessments need to take place to maintain compliance.
Besides requiring risk assessments, CDPA is similar to CPRA and GDPR in that it obligates businesses to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” However, the new law doesn’t specify what “reasonable” practices are.
In the realm of noncompliance risk, CDPA differs significantly from CPRA in that it does not allow a private right of action by consumers if their data is exposed in a breach. Enforcement is the sole responsibility of the Virginia Attorney General’s Office. Further, the AG must notify controllers of impending action, and give them 30 days to mitigate the issue(s). Fines for subsequent noncompliance can be up to $7,500 per violation—which is liable to be interpreted as “per impacted consumer” rather than “per data breach.”
Because CDPA is more than a “cookie-cutter” variant of CPRA, firms need to study the new law carefully and begin preparing now to address any gaps. CDPA is just the next in a foreseeable series of mandates pending in other states, including New York, Washington, Minnesota and Florida. Many organizations will likely opt for a national or global approach to data protection and privacy, with local variations as required.
To speak with a privacy expert about how new privacy laws could impact your business practices and IT systems, and strategize on approaches to close compliance gaps, contact Pivot Point Security.