As if remembering the names and acronyms of established data protection regulations wasn’t difficult enough as it is, many organizations that control or process personal information of Virginia residents now have to remember yet another one: Virginia’s Consumer Data Protection Act, or CDPA for short.
After the California Consumer Privacy Act (CCPA), which was passed in 2018, it’s the second sweeping data protection regulation to pass in the United States, granting consumers rights to control how their data is processed for purposes of targeted advertising, sale to various third parties, or general profiling.
The CDPA comes into effect in January 2023, so there’s still relatively enough time to become familiar with it and take the steps necessary for ensuring compliance. While the passing of the CDPA doesn’t affect every organization in the United States, more similar data protection acts are expected to be introduced in 2021 and beyond, so it makes sense to prepare early.
Who Does the CDPA Affect?
The CDPA affects all organizations that control or process the personal data of at least 100,000 Virginia residents in any calendar year. It also affects organizations that control or process the personal data of at least 25,000 consumers located in Virginia and derive over 50 percent of gross revenue from the sale of their personal data.
CDPA exempts organizations that are already subject to regulations such as HIPAA or GLBA, nonprofits, educational institutions, and financial institutions. It’s important to note that employee data fall outside the scope of the data protection act.
What Rights Does the CDPA Give to Consumers?
The CDPA gives consumers many important rights, including:
- The right to receive a confirmation that their personal data is being processed.
- The right to request inaccuracies in their personal data to be corrected.
- The right to request deletion of their personal data.
- The right to request a copy of their personal data in a usable format that makes it possible to transmit the data to another controller.
- The right to opt-out of data processing in the context of targeted advertising, sale of personal data, and consumer profiling.
Thanks to these rights, consumers will enjoy much greater control over their personal information and the way it’s being handled.
What Requirements Must Controllers Meet to Achieve Compliance?
In terms of requirements for controllers, the CDPA is far from revolutionary. In fact, organizations that already comply with other data protection regulations, such as GDPR, have very little to worry about. For example, controllers in Virginia are given 45 days to respond to consumer requests, while controllers in the EU are given 30 days.
Perhaps the biggest direct impact of the CDPA is the requirement for controllers to perform data protection assessments on the following:
- The processing of personal data for purposes of targeted advertising.
- The sale of personal data.
- The processing of personal data for purposes of profiling when there is a reasonably foreseeable risk of
- (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- (ii) financial, physical, or reputational injury to consumers;
- (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
- (iv) other substantial injury to consumers.
- The processing of sensitive data.
- Any processing activities involving a heighted risk of “harm” to consumers.
In this regard, the CDPA is similar to Data Protection Impact Assessments, which are described in the GDPR’s Article 35.
Are There Any Penalties for Noncompliance?
Yes, there are. Penalties for noncompliance with Virginia’s Consumer Data Protection Act can reach up to $7,500 per violation, and they will be enforced by the Virginia Attorney General.
The good news for organizations that will have to comply with the CDPA when January 2023 arrives is that the data protection act gives them up to 30 days to fix any potential violations. Other states have implemented similar “right to cure” clauses in their data protection regulations in the past, and it’s likely that future regulations will keep implementing them as well.
From January 2023, all Virginia residents will enjoy many new rights when it comes to controlling their personal data. Right now, all affected organizations should evaluate their current privacy programs and determine what changes will have to be made to comply with the CDPA.