Virginia Passes Consumer Data Protection Act
Virginia’s Consumer Data Protection Act (CDPA) is first major state privacy law since California's. Under the law, organizations will need to implement reasonable security practices to protect sensitive data.
As expected, Virginia passed its first consumer data protection law earlier this month, the latest domino to fall in what's becoming a long and confusing line of similar regulations.
While there’s been no shortage of data privacy laws of late, with the move, Virginia became only the second state to enact comprehensive privacy legislation. The state's Governor Ralph Northam signed it into law on March 2.
While the law, the Virginia Consumer Data Protection Act, won't likely have a pivotal impact on every organization's day to day operations, it should help inform how your organization handles and protects sensitive personal data, even if none of it belongs to Virginians.
The law has some overlap with the California Consumer Privacy Act, it would be wrong to assume that if you comply with the latter you're automatically in compliance with the former. The scope of the laws are different, as are how they define the sale of data, consumer rights, consent, and how they will be enforced, to name a few. Companies that are confident they're compliant with CCPA will likely have a head start complying with CDPA but it's important to be cognizant of the differences.
Still, like practically all consumer data privacy laws these days, the CDPA is expected to heavily regulate how businesses process and handle sensitive data. Under the law, it will be important for companies to understand what constitutes sensitive data/ CDPA defines this as roughly “any information that is linked or reasonably associated to an identified or identifiable natural person.”
Under the CDPA, sensitive data includes personal data involving racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data from a child, and geolocation data.
Under the law any person who resides in Virginia can exercise certain rights around their personal data. Upon request, organizations will need to be able to confirm whether or not the organization processes their personal data, whether there are inaccuracies in the data being processed, delete personal data, deliver a copy of the data in portable format, and honor requests to opt out of having that information used for targeted advertising, sale, or profiling.
Another thing poised to be included in CDPA is required data protection assessments. Organizations would be obligated to look into assessing any processing activity that involves data used for the above reasons.
All said, the law, much like CCPA and the General Data Protection Regulation (GDPR) puts the onus on enterprises to ensure they’re familiar at all times where sensitive data resides and how it moves throughout an organization. Solutions that help provide transparency and visibility around data workflows, especially as they relates to the movement of sensitive data like PII, could be valuable in helping satisfy the law.
That said, not every business will need to comply. Like the CCPA, there are exclusions for nonprofit organizations and small and medium sized businesses. Businesses that already need to comply with overarching, federal data privacy regulations like Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA) and the Fair Credit Reporting Act (FCRA) – among others - are exempt too.
Businesses that are either located in Virginia or targets Virginia consumers and either process data belonging to over 100,000 Virginia consumers or over 25,000 Virginians (and make 50% of their gross revenue from data sales) will have to comply, however.
As previously announced, businesses found in violation of the law will be given 30 days to remedy any issues before being fined up to $7,500 per violation.
It's worth noting that the CPDA didn't authorize a rulemaking process, meaning that there should be fewer hurdles en route to the law's January 1, 2023 go-live date, unlike CCPA, which encountered round after round of revisions.
2023 may be almost two years away but ensuring a business has the means to visualize data the CDPA may apply to, in addition to ensuring there are "reasonable security practices" – the law requires companies to have administrative, technical and physical data security practices - to protect that data should be top of mind for compliance and privacy officers at organizations that collect Virginians’ data.
Even if your company doesn't collect and process data on Virginians, these data privacy laws - in the works in Colorado, Connecticut, Florida, New York, Minnesota, Oklahoma, Ohio and Washington.- continue to coalesce and clearly aren't going away anytime soon.