On March 2, 2021, the Virginia Consumer Data Protection Act (CDPA) was signed into law, placing new mandatory guidelines on organizations that collect, store, and use consumer data in Virginia. Enforcement will begin on January 1, 2023.
Virginia’s new privacy law is part of a larger legislative trend towards implementing state-based data privacy laws. Colorado also passed new privacy regulation in 2021 and, as of January 2022, there were 15 other states considering new data privacy regulation in their 2022 legislative session.
This push for consumer data rights stems from growing concern over the amount of personal data being generated online, as well as the way that data is stored, shared, and used by commercial organizations.
In fact, a recent IPSOS survey found that, “seven in ten (70%) Americans agree that controlling who can access their online personal information has become more challenging.”
In light of these trends, it’s no surprise state leadership voted to pass the Virginia Consumer Data Protection Act. As similar regulation gains traction across the United States, businesses must take action in order to remain compliant, avoid heavy fines, and protect consumer data rights.
Table of contents
- Scope: Who is subject to the CDPA?
- How the is the CDPA different from the CPRA?
- Consumer rights provided by the CDPA
- CPDA enforcement
- Determine if your organization processes “sensitive” data
- Consider a data protection impact assessment
- Develop a data request appeals process
- Provide opt-out for advertising and profiling
- Review third party contracts
- Work to implement a program that spans all legislations
- Consider your company’s tech stack
- Support a cross-functional privacy culture
What is the Virginia Consumer Data Protection Act (CDPA)?
In short, Virginia’s new data privacy law establishes a “framework for controlling and processing personal data”–outlining data rights for Virginia residents and obligations for the businesses that fall under the bills scope.
Like other state privacy bills, the Virginia CDPA was passed in response to concerns about the collection, storage, and use of personal data.
As revealed by a recent McKinsey survey, these concerns are shared by a majority of consumers:
87% of respondents stated they would not interact with a company if they were concerned about its cybersecurity protocols.
Currently, the Virginia CDPA only pertains to select businesses engaging in specific activities.
Scope: Who is subject to the CDPA?
Not all businesses that handle consumer data are subject to CDPA provisions. In short, the CDPA applies to:
- For-profit organizations that conduct business within Virginia, AND
- Businesses that target Virginia residents with their services or products
To be subject to CDPA provisions, any organization that falls into either of the above categories must also:
- Process or control personal data from a minimum of 100,000 Virginia residents each calendar year OR
- Process the data of 25,000 Virginia residents while deriving at least 50% of gross revenue from selling personal data
How is the CDPA different from the CPRA?
In its overall structure, the Virginia Consumer Data Protection Act is quite similar to the 2020 California Privacy Rights Act (CPRA), which amended the 2018 California Consumer Privacy Act (CCPA).
However, the CDPA differs from the CPRA in a few fundamental ways:
Opt-in consent for processing sensitive data
A first in the privacy regulation space, Virginia’s CDPA has hard guidelines around the processing of sensitive data. Put simply, if an organization processes sensitive data, they must get consent–no exceptions.
The CDPA does not impose a revenue threshold for entities under its purview. This means that many large businesses, as long as they don’t fall under the scope outlined above, will not be obligated to comply with CDPA
Thresholds for consumer data collection
The CDPA has a much higher threshold for consumer data collection i.e. the number of consumers an entity must be collecting data on in order to fall under the CDPA’s purview. The CDPA’s threshold is 100,000 Virginia residents (for a company that’s deriving less than 50% of gross revenue from selling personal data)–double that of the CCPA.
Most notably, the CDPA does not extend to employee data, but we’ll cover exemptions in more detail below.
Under the CPDA, “sale of personal information” is defined solely as exchanging personal data for money. This stands in contrast to the CCPA, which expands the definition of selling data to include “other valuable consideration[s].”
Consumer Rights Provided by the CDPA
According to the CDPA, businesses must respond to a consumer’s request to exercise one of their rights within 45 days. Controllers can extend the deadline by 45 days when necessary, but must notify consumers of the extension.
Aside from this guideline, the Virginia Consumer Data Protection Act grants consumers six fundamental rights:
Right to Access
Consumers retain the right to access their data. This provision also affords them the ability to confirm if a controller is processing their personal data or not.
Right to Correct
In addition to accessing their data, the Virginia CDPA grants consumers the right to correct any of their controlled data.
Right to Delete
Consumers have the right to delete their personal data. They can delete this data whether it was provided by them directly or obtained from another entity, such as through a lead purchasing platform.
Right to Data Portability
The CDPA grants consumers the right to receive a copy of their personal data. Controllers must provide the data to the consumer upon request and in an easily transmissible format.
Right to Opt Out
The fifth right outlined by the CDPA gives consumers the ability to opt out of processing their personal data for targeted marketing purposes. This right is one of the few provisions of the CDPA that has no listed exceptions.
Right to Appeal
Organizations must establish an appeals process consumers can use if their data request is denied, or the organization finds themselves unable to fulfill it for any reason. If an appeal is denied, controllers must inform consumers of their right to file a formal complaint with the attorney general. They must also explain how to file that complaint.
Who Enforces the CDPA
The Virginia CDPA is exclusively enforced by the Virginia attorney general. If the office of the attorney general elects to take action against a violator, they must notify the organization’s controller.
The controller must remedy the issue and submit a written notification stating that the violations have been resolved. Failure to comply can result in a fine of up to $7,500 per violation.
The Virginia CDPA has exemptions for specific entities and data types.
Exempted entities include:
- Virginia state and local governing bodies
- Organizations subject to the Health Insurance Portability and Accountability Act (HIPPA)
- Institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Higher education institutions
Exempted data types include:
- Employee information: This is a notable divergence between CCPA and CDPA
- Data already regulated by existing privacy laws (HIPPA, Fair Credit Reporting Act, Farm Credit Act, etc)
- Personal information about individuals communicated with in a commercial setting i.e. the contact information for person at a company with whom you’re negotiating
How Businesses Can Prepare for VCDPA
Understanding new data privacy regulation, while important, is just part of the equation. Businesses must start actively preparing for the enforcement of these new laws, as non-compliance can come with heavy fines and other civil penalties.
The Virginia Consumer Data Privacy Act goes into effect on January 1, 2023. Building out effective privacy infrastructure can be complex and time consuming, and the window for action is closing fast. It’s important organizations start preparing now so as not to be exposed to civil liability or financial penalties later.
To prepare for the VCDPA’s January 2023 deadline, affected businesses should consider the following steps:
Find out if your organization processes “sensitive” data
Similar to other privacy regulations (the Colorado Privacy Act and the CPRA), many of the CDPA’s requirements hinge on whether or not a company is processing “sensitive data”.
The definition of sensitive data differs slightly between different regulations, but generally refers to data concerning an individual’s ethnicity, mental health, religion, genetics, or personal identification numbers.
The CDPA defines two data types: personal and sensitive.
Personal data is “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
Sensitive data is defined as:
(1) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
(2) The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
(3) The personal data collected from a known child; or
(4) Precise geolocation data.
As covered earlier, the CDPA specifically states that any entity processing sensitive data must first retain consumer consent - no exceptions.
To remain compliant with this requirement, organizations must first determine whether or not they process sensitive data. Then, they should determine where and how this data is being collected, and provide a clear path for consumers to consent or opt-out.
Determine whether a data protection impact assessment is necessary
A data protection impact assessment entails first determining whether data is being used for “risky” activities, such as user profiling, advertising, or the sale of personal data
If it is, organizations must create a clear, documented structure for weighing the benefits and risks of processing sensitive data.
The VCDPA does not require that companies submit assessments to the Virginia attorney general; however, assessments must be available for evaluation upon request.
Develop a data request appeals process
The CCPA was the first U.S. privacy law to include obligations around an appeals process for data request refusals. In contrast, under the CCPA entities only need to inform consumers of their right to appeal, but are not required to support the process further.
Under the Virginia CDPA, companies are required to establish an internal process for appeals. Not only that, but the CDPA stipulates the appeals process must:
- Include a mechanism for filing appeals that is easy to find and use
- Have a fixed time period for the company’s response
- Provide a way to contact the Virginia Attorney General in the event a company denies an appeal
Provide opt-out for advertising and profiling
With enforcement beginning on January 1, 2023, the CDPA requires that organizations provide a way for consumers to opt out of targeted advertising and other profiling. Implementation of this requirement often comes in the form of consent managers (such as cookie banners), which allow users to determine what, if any, tracking they will allow while on a site.
Review third party contracts
Many organizations share data with their third party vendors, a form of data sharing that does fall under the umbrella of CDPA.
According to the CDPA, all third party contracts must include language around data processing. This language must cover the types of personal data being processed, duties of deletion and return, the nature, purpose, and duration of processing, and more.
Building a robust yet scalable privacy program
With 15 states considering privacy legislation in their 2022 session, Virginia’s new data privacy law is just one among many.
Building a privacy program that’s compliant with CDPA is an important step, but savvy organizations will take this as an opportunity to get ahead and build a privacy program that’s not only robust, but scalable.
Here are a few general recommendations for organizations looking to build privacy programs that support compliance today and scalability tomorrow.
Work to create a program that spans all legislations
Considered in the long-term, it’s clear privacy regulation isn’t going away. With new legislation being passed year after year, and more on the horizon, organizations should consider how to set themselves up for success today, tomorrow, and ten years from now.
Of course, predicting future legislation is difficult, but current legislation and bills under consideration do offer compelling clues as to where this sector is headed.
Consider the rules defined in recent bills and then assume those same obligations will show up, in some form or another, in all future privacy legislation.
For example, Virginia’s CDPA and the Florida Privacy Protection Act (currently under consideration for 2022), have the same provisions around scope. A business must:
- Process or control personal data from a minimum of 100,000 state residents each calendar year OR
- Process the data of 25,000 state residents and derive a minimum of 50% of gross revenue from selling personal data
Naturally, there will be exceptions and nuances with each new round of legislation, but legal precedent is powerful and it’s highly likely future privacy bills will share similar scope and structure.
In terms of strategies that work all across the board, data minimization is one all organizations should consider. Data minimization addresses core privacy issues at the source–the less data you have to map, manage, and address, the less opportunities there are to become non-compliant.
Consider your company’s tech stack
Seek out comprehensive privacy solutions that will allow your organization to encode privacy across all data sources and automate manual tasks such as data subject requests, consent, and data mapping.
Automated platforms are more cost-effective than manual workflows or point solutions. Moreover, these technologies can help bridge the divide between legal, IT security, and engineering teams: minimizing complexity and ensuring everyone is on the same page.
Automate privacy requests across your tech stack
Transcend Privacy Requests is the easiest and most comprehensive way to delete, return, or modify a user's data or preferences across your tech stack. Learn more.
Work towards building cross-functional privacy culture
Siloing privacy to a single team or individual is a recipe for poor productivity and wasted resources. Implementing data rights is by nature a cross-functional activity that spans across teams. Investing in proper training and resources, while building the concept of privacy into the fabric of your organization will pay massive dividends as regulation evolves.
Going forward, businesses can expect to encounter more legislation like Virginia’s privacy law. New legislation is sure to originate at the state level, and eventually is likely to come at the Federal level as well.
Navigating the nuances of these legal changes will only get more complex. Savvy businesses will start preparing now by first learning how they’ll be affected by new legislation, and then investing in people, programs, and solutions that ensure comprehensive internal compliance and data rights for consumers.
- How Can Businesses Start Preparing for the Virginia Consumer Data Protection Act? [Video]
- Virginia passes the Consumer Data Protection Act
- Getting ready for 2023: What Companies Can Do Now to Prepare for New Privacy Laws
- Virginia Consumer Data Protection Act Series
- Getting Ready for 2023: What Companies Can Do now to Prepare for New Privacy Laws
If your organization has been impacted by the Virginia CDPA or other consumer data laws, Transcend can help you ensure compliance. Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or seamlessly generate Records of Processing Activity (ROPA) for GDPR compliance with Data Mapping.
Looking to evaluate your current privacy program and discover any hidden costs? Explore our privacy request cost calculator.