Last Updated on April 28, 2021
The new Virginia Consumer Data Protection Act (CDPA) draws heavily on prior legislation like the California Consumer Privacy Rights Act (CPRA) and its predecessor the California Consumer Privacy Act (CCPA). But while some have wrongly dubbed it “CPRA Lite,” CDPA is equally as comprehensive as its California counterparts.
Similar to CPRA and CCPA, Virginia’s CDPA spells out consumers’ rights to control how companies use their personal data. It also specifies how companies must protect consumers’ data and respond to requests regarding it.
CDPA introduces new definitions and requirements that could well be influential in their own right, especially on bills forthcoming from other US states. These unique aspects could also impact your compliance. The new law goes into effect on January 1, 2023, the same day as CPRA, so it’s important to plan holistically for these and other pending state privacy bills.
Who must comply with CDPA?
Mirroring CPRA, the volume threshold for CDPA compliance is handling the data of 100,000 or more consumers per calendar year, or 25,000+ consumers if you derive over 50% of gross revenue from the sale of personal data. What’s different with CDPA is it doesn’t define a revenue threshold, so it won’t automatically apply to large businesses irrespective of whose data they process.
Another big difference is that CDPA exempts whole classes of organizations outright. These include any business subject to HIPAA and HITECH, any financial institution (or financial data) subject to the Gramm-Leach-Bliley Act (GLBA), any institution of higher learning, and all nonprofits.
What data does CDPA apply to?
CDPA excludes from coverage what it defines as “publicly available information,” which is “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information…” De-identified/redacted data is also excluded.
Moreover, CDPA explicitly doesn’t cover employee data—only consumer data.
But like CPRA, CDPA has special requirements around “sensitive personal information” (sensitive PI), which both define similarly (social security numbers, driver’s license numbers, credit card or bank account numbers, etc.).
What consumer rights does CDPA enforce?
The CDPA applies to persons living in Virginia who are acting in an individual or household context (not commercial or employment). The new law directs controllers to respond as follows upon request from consumers:
- Verify whether or not you process the requestor’s PI; and, if so, give them access to their personal data that you are holding/processing
- Give them a copy of the data you have about them in a convenient format
- Delete their PI
- Correct any errors in their PI
- Honor any request to opt out of the processing of PI when used for sale, profiling, or targeted advertising
Note that consumers’ opt-out rights under CDPA go beyond just the sale of their data, and thus could require you to apply opt-out requests across a wide range of internal data processing activities (e.g., marketing/advertising).
The default response time to comply with consumer requests under CPDA is 45 days. Beyond that, consumers have the right to appeal to the Virginia Attorney General’s Office if they’re dissatisfied with a decision or action regarding their privacy request. This adds an extra level of compliance monitoring to the consumer response process. Further, organizations are obliged to “conspicuously” instruct consumers about how they can escalate their appeal up to the AG.
How will CDPA be enforced?
The Virginia Attorney General’s Office is solely responsible for enforcing CDPA. There is no private right of action for consumers whose data is exposed in a breach.
Also, while CPRA eliminates the CCPA’s 30-day “grace period” for presumed violators to rectify suspected issues, this benefit resurfaces in the CDPA. Like CPRA, lines for noncompliance can be up to $7,500 per violation under CDPA. Note that a “violation” is likely to be interpreted as pertaining to each impacted consumer, not an entire data breach incident.
Does CDPA compel security as well as compliance?
It’s axiomatic that you can’t have privacy without security. While CPRA does not explicitly require any cybersecurity assessment, CDPA mandates a “data protection assessment” for “controllers” (those entities that determine the purpose and methods of processing PI) that either sell PI, use PI for targeted advertising, exploit PI for profiling in ways that might negatively impact consumers, or otherwise process PI in ways that could increase consumers’ risk of negative impacts.
How can you determine if your business practices present risk to consumers, such that this rule applies to you? Good question… Another unanswered question, for now, is how often you’ll need to perform the assessments to maintain compliance. (From a security standpoint, an assessment every six months to one year would probably be the minimum.)
Additionally, CDPA (like CPRA) includes a requirement that controllers “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” What constitutes “reasonable” practices remains open to interpretation. There is some precedent under California law to view implementation of the Center for Internet Security’s 20 Critical Security Controls as the baseline for a “defensibly reasonable” cybersecurity posture.
The CDPA is just the next in a series of laws in process by other US state legislatures, including Washington, New York, Florida and Minnesota. Many controllers will therefore look to implement a national or global approach to privacy and data protection compliance, while also tracking local variants.
To connect with a data protection expert on how to establish verifiable compliance with CDPA and other privacy guidelines, contact Pivot Point Security.