Virginia Consumer Data Protection Act – All about CDPA

The Virginia Consumer Data Protection Act CDPA is a Virginia privacy law establishing data protection rights and privacy for consumers in Virginia. The CDPA went into effect on January 1, 2023, and applies to businesses that conduct business in Virginia or processing of personal data of Virginia consumers. Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Virginia became the second state, after California, to pass comprehensive consumer privacy legislation in 2021. Ralph Northam, the governor of Virginia, signed the Virginia Consumer Data Protection Act (“VCDPA”) on March 2, 2021.

The CDPA establishes a framework for protecting the privacy of Virginia consumers by requiring businesses and organizations to be transparent about their data collection, use, and sharing practices and by giving consumers certain rights concerning their personal data. The right to refuse the processing of personal data for purposes of targeted advertising. The VCDPA is significantly more succinct than the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Overall, it is a comprehensive data privacy regulation. It represents a significant expansion of consumer privacy rights in Virginia and imposes new obligations on businesses regarding their data protection practices.

The CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents regardless of where the business is located and met any of the following:

• Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data or publicly available information.
• During a calendar year, control or process the personal data of at least 100,000 consumers; or

The CDPA does not apply to:

• Small businesses with gross annual revenues of less than $25 million.
• Certain types of non-profit organizations or institutions of higher education.
• Anybody, authority, board, bureau, commission, district, or agency of Virginia or of any political subdivision of Virginia.
• Certain types of personal data, such as data collected and used for employment purposes or data collected and used for journalism or news purposes.
• Financial institutions or data subjects subject to Title V of the Gramm-Leach-Bliley Act (GLBA) of 1999; and
• Covered entities or business associates are governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules established pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act of 2009.

“Personal Data” under CDPA is broad and relatable to the CCPA and EU GDPR. It excludes de-identified and publicly available information and defines a consumer as someone acting in an individual or household context.
It expressly does not include “a natural person acting in a commercial or employment context.” It also exempts data collected from job applicants. comply with consumer requests to exercise their rights; “exchange of personal data for monetary consideration by a controller to a third party”.

“Sensitive Data” means “a category of personal data that includes”:

• Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
• The processing data of genetic or biometric data to de-identified data to uniquely identify a natural person
• Process the personal data collected from a known child or
• Precise geolocation data.

• Right to notice: Consumers have the right to be informed about a business’s personal data collection, use, and sharing practices, including the purposes for which the data will be used and the categories of third parties with whom the data will be shared.
• Right to access: Consumers have the right to request and receive a copy of their personal data that a business has collected and processed.
• Right to correct: Consumers have the right to request that a business correct any inaccurate or incomplete personal data that it has collected and processed.
• Right to delete: Consumers have the right to request that a business delete their personal data.
• Right to object: Consumers have the right to object to the processing of their personal data for certain purposes, such as for marketing or profiling.
• Right to data portability: Consumers have the right to request that a business transfer their data to another controller.

By respecting and upholding these data subject rights, businesses can ensure that they comply with the Virginia CDPA (Virginia Consumer Data Protection Act) and protect the privacy of Virginia residents.

Under the Virginia CDPA, controllers must adhere to certain data processing principles when collecting, using, and disclosing the personal data of Virginia consumers. These principles are designed to ensure that data is handled responsibly and transparently and that the rights of consumers are respected.

The principles under the CDPA include:

• Purpose specification: You must specify the purposes for which you are collecting, using, or disclosing data before you collect it.
• Data minimization: You must minimize the amount of data you collect and only collect what is necessary for the purposes you have disclosed to the consumer.
• Data accuracy: You must take reasonable steps to ensure that data is accurate, complete, and up to date.
• Data security: You must implement appropriate technical, administrative, and physical safeguards to protect data from unauthorized access, use, or disclosure.
• Data retention: You must retain data only for as long as necessary for the purposes you have disclosed to the consumer.
• Data transparency: You must be transparent with consumers about how you collect, use, and disclose their data via privacy policies and provide them with access to their data upon request.
• Data accountability: You must comply with these principles for any data you collect, use, or disclose.

Virginia’s CDPA requires businesses to conduct and document “data protection impact assessments” for certain types of data practices, including the processing of data for targeted advertising, the processing of sensitive data, and any processing activities with the potential risk of harming consumers. Data protection assessments must be carried out to show the benefits and risks arising from these practices. These assessments must be made available to the Virginia Attorney General upon request.

Data protection assessments are an important part of data privacy and security, as they help identify any potential risks or vulnerabilities associated with processing personal data. A Data Protection Impact Assessment (DPIA) is a systematic process for evaluating the impact specific types of data processing operations may have on individuals’ rights and freedoms. It involves assessing the risks associated with processing activities and looking at ways to mitigate those risks. A Privacy Impact Assessment (PIA) assesses how data processing may affect people’s privacy rights and freedoms,

DPIAs and PIAs are essential components in ensuring that organizations handle data lawfully, securely, and in line with relevant regulations and standards.

The Virginia CDPA is a state law that regulates the collection, use, and sharing of personal information by businesses and other organizations. The CDPA includes provisions that outline the penalties for non-compliance, designed to ensure that businesses and organizations take the necessary steps to protect the privacy of Virginia consumers.

Under the Virginia data privacy law or CDPA, the attorney general or a consumer may bring a civil action against a business or organization that fails to comply with the CDPA’s requirements. A controller must set up, and disclose in a privacy notice, one or more secure and reliable methods for consumers to submit a request to exercise their consumer rights under this chapter. Suppose a court finds that a business or organization has violated the CDPA. In that case, it may impose a civil penalty of up to $7,500 per violation.

In addition to civil penalties, the CDPA allows the attorney general or a consumer to bring an action for injunctive relief to stop a business or organization from violating the CDPA. This means that a court may order a business or organization to take certain actions, such as ceasing certain data practices or implementing specific data protection measures to comply with the CDPA.

Finally, the CDPA allows the attorney general to bring a criminal action against a business or organization that intentionally or recklessly violates the CDPA. Suppose a court finds that a business or organization has committed a criminal violation of the CDPA or Virginia privacy law. In that case, it may impose a fine of up to $50,000 per violation.

The CDPA’s penalties are designed to ensure that businesses and organizations take the necessary steps to protect the privacy of Virginia consumers and to promote compliance with the CDPA’s requirements. By taking steps to comply with the CDPA, businesses, and organizations can help protect Virginia consumers’ personal data and build trust with their customers.

To comply with the CDPA, you will need to take the following steps:

• Determine if the CDPA applies to your business: The CDPA applies to any person or business that handles the personal data of Virginia residents, regardless of where the business is located. If your business collects, processes, or stores Virginia residents’ data, you must comply with the CDPA.
• Review your data collection and processing practices: The CDPA requires businesses to be transparent about their data collection and processing practices. You will need to review your current practices to ensure that you are collecting and processing personal data relating in a manner that is consistent with the CDPA. This includes identifying the types of data you collect, the purposes for which you collect it, and the third parties with whom you share it.
• Develop a data inventory and mapping plan: The CDPA requires businesses to develop and implement a data mapping plan that outlines how they will handle personal data in accordance with the law. Your data mapping plan should include details on how you will collect, use, and protect data and respond to data subject requests.
• Obtain consent: The CDPA requires businesses to obtain explicit consent from individuals before collecting, using, or disclosing their personal data. You will need to develop a process for obtaining consent and ensure that it is properly documented. You should also provide clear and concise information about how you will use the personal data you collect and obtain consent for each specific use.
• Respond to data subject requests: The Virginia’s CDPA gives individuals the right to request that their data be deleted, corrected, or transferred to another business. You will need to have processes in place to respond to these requests in a timely manner. This may include providing individuals with access to their personal data and allowing them to request that it be corrected or deleted.
• Implement appropriate safeguards: The CDPA requires businesses to implement appropriate safeguards to protect personal data from unauthorized access, use, or disclosure. This may include implementing technical safeguards such as encryption and secure servers and organizational measures such as employee training and data protection policies. You should conduct a risk assessment to identify potential vulnerabilities and implement safeguards to address them.
• Comply with the CDPA’s reporting requirements: The Virginia privacy law or CDPA requires businesses to report certain data breaches to the Virginia Attorney General and affected individuals. You will need to have processes to identify and report data breaches per the law. This may include conducting a thorough investigation to determine the scope and impact of the breach and taking steps to prevent similar incidents from occurring in the future.

With the Virginia CDPA coming into force on January 1, 2023, consumer data rights will advance significantly. Its regulations, which emphasize data security and privacy, are binding on companies processing the data of Virginia residents. Data rights granted to consumers include notification, access, correction, erasure, objection, and data transfer. The CDPA sanctions fines for non-compliance, reaffirming the commitment to privacy in line with transparent data practices. Virginia’s solutions compel compliance, demonstrating its commitment to enhancing data privacy and fostering trust.