Virginia is the second state to enact a comprehensive data protection and privacy law that takes components from the EU’s GDPR and the US’ CCPA building on the momentum of an evolving privacy landscape. Governor Ralph Northam (D) signed the Customer Data Protection Act (CDPA) into law last Tuesday after the bill passed through the House and Senate, gaining unanimous support. The CDPA goes into effect on January 1, 2023, the same day as the California Privacy Rights Act (CPRA) giving businesses plenty of time to enact the necessary changes to their data practices to ensure compliance.  

Who is in Scope? 

For organizations wondering if they fall in-scope of the CDPA, the regulation currently applies to all persons that conduct business in the Commonwealth of Virginia or services that are targeted to residents of Virginia: 

  • During a calendar year, control or process personal data of at least 100,000 consumers OR; 
  • Control or process personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data. 

Unlike other privacy regulations, the CDPA omits a revenue threshold, which means businesses of all sizes can fall in-scope if they are processing enough data. The CDPA defines personal information as, “any information that is linked or reasonably linkable to an identifiable natural person,” which directly applies to both businesses that process and control personal data. 

Consumer Rights Under the CDPA

Under the CDPA, consumers are granted specific rights to their data from businesses or controllers that collect, process, share, and sell their personal identifiable information. However, de-identifiable data (data that cannot  be associated with a natural person) or publicly available information are excluded from the regulation. Virginia residents have the following rights under the CDPA: 

  • Confirm whether or not a (data) controller is processing the consumer’s personal data and to access such personal data;
  • Delete personal data provided by or obtained about the consumer; 
  • Correct inaccuracies in a consumer’s personal data
  • Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and readily usable format (where the processing is carried out by automated means)
  • Opt-out of sales, targeted advertising, and profiling; in the furtherance of decisions that produce legal or similarly significant effects concerning the consumers 

In addition, businesses in-scope of the CDPA have 45-days to provide a response to consumer requests and another 45-day extension when “reasonably necessary” due to complexity. If declining a request, controllers must provide justification for declining to take actions, and provide instructions on how to further appeal the denial. 

Additional Controller Responsibilities

A significant difference between the CDPA and other privacy regulations; controllers must adhere to data minimization principles and implement reasonable security systems to protect personal data and ensure contracts are in place with processors. Controllers that engage with targeted advertising, sale of personal data, certain types of profiling, processing of sensitive data, or processing activities that present a heightened risk of harm to consumers, must conduct and document “data protection assessments.”

Who Enforces Virginia’s Novel Privacy Act?

Similar to the current California Consumer Privacy Act (CCPA), the enforcement body for the CDPA and data breaches is the Office of the Attorney General. This enforcement body is responsible for citing businesses who violate the law with a 30-day right to cure, and penalties and fines upwards of $7,500 per violation. In addition, the attorney general is permitted to recover reasonable expenses for investing and bringing action. 

What’s Your Next Step?

Data Inventory. With these new obligations, it is paramount that businesses understand where their data resides, and how they are using it. Businesses can start by taking an inventory of all the data they collect, and then categorize it to ensure they meet the requirements set forth by the CDPA.  

Data Minimization. Upon reviewing the data being collected on consumers, businesses should review their data collecting principles and limit collection to only what is required to fulfill a specific purpose. 

Privacy Policies. Similar to CCPA, GDPR, and CPRA, privacy policies should be prominently placed on a business’s website to ensure consumers and those enforcing the law can review and understand how their data is being used. 

Intake Requests. Providing consumers with an easy to follow mechanism to submit data access requests is key to ensuring compliance. However, with other states gaining momentum processing their own state laws, it is only a matter of time until we have a patchwork of individual state privacy laws to comply with, making it more challenging for businesses to burn and rebuild every time a new privacy regulation is introduced. 

Data Security. An important obligation under the CDPA is ensuring reasonable administrative, technical, and physical data security practices are in place to protect the confidentiality, integrity, and accessibility of personal data. As bad actors are constantly finding new ways to penetrate networks and server ecosystems, businesses need to have a plan in place to protect the business’ bottom line, and consumer data from ransomware and other attacks that leave personal data vulnerable. 

Whether a business has an internal SOC or incorporates a managed detection and response (MDR) solution, having a strong security plan in place to protect consumer data is critical. An MDR solution can secure your business and customer data  24/7 and ensure you have a holistic security solution that scales with CDPA and beyond. Learn more about MDR in our eBook: 5 Things to Consider When Choosing an MDR Provider