Virginia passed the Consumer Data Protection Act (CDPA) on March 2, 2021, making it the second comprehensive data privacy legislation in the United States. It is being touted as the East Coast’s answer to California Consumer Privacy Act - the first-of-its-kind data privacy legislation in the US.
Virginia sped through the legislative process after introducing CDPA in the beginning of 2021 and passed it as a law in March. Many other states like Florida, New Hampshire, Washington, Nebraska, New York, Maryland and North Dakota are working on bringing similar privacy regulations. This is a clear indication that 2021 will bring greater data privacy regulations across the United States.
The CDPA will come to effect on January 1, 2023, the same day as CPRA. This article will detail everything you need to know about CDPA.
What is CDPA?
Consumer Data Protection Act or CDPA is a recent data privacy legislation passed by the state of Virginia. It borrows heavily from both its predecessors in the United States - the California Consumer Privacy Act (CCPA) and its amendment California Privacy Rights Act (CPRA), as well as the European Union’s game-changing General Data Protection Regulation (GDPR).
It establishes key definitions regarding personal data, sensitive data, consent, precise geolocation data, targeted advertising, sale of personal data, and grants consumers with a range of rights including the right to access, correct, delete, and receive a copy of their personal data and a right to opt-out of any profiling.
Importantly, CDPA is an opt-in law, meaning that businesses have to prove that they have informed consent to process a consumers’ personal data. Businesses will also be subject to third party management obligations as well as data security and data protection requirements.
What is Personal Data in CDPA?
Personal data is any information that is linked to or can be linked to an identifiable person. Since identification of an individual can be done by putting different pieces of information together, the definition can be quite broad. Under CDPA, publicly available information that is lawfully made available through federal, state, or local government records are not included in personal data.
CDPA classifies certain types of data as ‘sensitive data’ which are subject to additional requirements and restrictions. It includes:
- Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- Genetic or biometric data
- Data of children
- Precise geolocation data
Precise geolocation data covered under sensitive data, is defined as any information derived from technology, including but not limited to GPS coordinates or other mechanisms that can directly identify the specific location of a consumer.
Consumer Rights under CDPA
CDPA gives consumers certain rights relating to their personal data which is controlled or processed by the businesses covered under its provisions. Three major stakeholders under CDPA are - consumer, controller and processor.
Consumer is any resident of Virginia, acting only in an individual or household context. CDPA does not include individuals acting in a commercial or employment context within its legislation.
Notably similar to GDPR, CDPA defines two different types of data-handlers with respect to businesses - controllers and processors. Controllers determine the purpose and means of processing personal data and processors are natural or legal entities that process personal data on behalf of the controller.
Key Provisions for Consumer Rights under CDPA
- Access: Consumers have the right to confirm whether a controller is processing personal data and has the right to access such data. Processing is defined as manual or automated operations such as “collection, use, storage, disclosure, analysis, deletion, or modification of personal data”.
- Correction and Deletion: Consumers have the right to correct inaccuracies and also to delete their personal data by businesses
- Portability: The right to obtain personal data that the consumer shared with the controller in a portable and readily-usable format that will allow the consumer to transmit the data to another controller with ease
- Opt-out: Consumers have the right to opt-out of processing of personal data for targeted advertising, sale of personal data and profiling.
- Targeted advertising, defined as display ads where the advertisements are selected based on the personal data obtained from consumer’s online activities over time and across non-affiliated websites that predict consumer’s preferences or interests. If consumers have to exercise their right to opt-out, businesses will need to place cookie notices/banners on their website to enable the consumer to stop cookies and trackers when they visit a website.
- Sale of personal data, defined as the “exchange of personal data for monetary consideration by the controller to a third party”. Third party, here is a person, public authority, agency, or body other than the consumer, controller, processor, or any affiliates.
- Profiling, defined as any form of automated processing of personal data done to evaluate, analyze, or predict personal aspects related to a consumer’s “economic situation, health, personal preferences, interests, reliability, behavior, location, or movements”.
Who Will be Impacted by CDPA?
CDPA will apply to any entity that operates or conducts business in the state of Virginia, or those who offer products or services to its residents. If they meet any one of the following guidelines, they are required to comply with CDPA:
- Process the personal data of at least 100,000 Virginia residents during a calendar year or
- Control/process the personal data of at least 25,000 consumers and derive at least 50% of their annual gross revenue from the sale of personal data
Unlike CPRA, CDPA does not stipulate a revenue threshold and will apply to businesses that meet the above criteria regardless of their annual turnover.
Exemptions under CDPA
There are broad exemptions under CDPA for financial institutions subject to GLBA, businesses subject to HIPAA, higher education institutions, non-profit organizations, and commonwealth agencies.
CDPA will also exempt particular categories of data including data already regulated by federal laws such as HIPAA, GLBA, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and the Children’s Online Privacy Protection Act (COPPA).
Who Will Enforce CDPA?
CDPA will be enforced by the Attorney General of Virginia. The law gives a 30-day notice period to a business to “cure” the potential violations. If the business effectively rectifies the noticed violation and gives in a written statement of the same, no action will be initiated.
In case of a failure to comply within the cure period, action will be initiated and the business will be fined. Notably, unlike its counterpart CPRA, there is no provision for private right of action for consumers.
The law also provides for the establishment of a non-reverting fund called the Consumer Privacy Fund within the state treasury. All civil penalties, expenses, and attorney fees collected under CDPA will be credited to this fund.
What Are the Penalties?
The CDPA has fine amounts up to $7,500 per violation. Under its provisions, the Attorney General also has the right to recover reasonable expenses incurred in investigating any case of violation, including the attorney fees.
What Does CDPA Mean for Businesses?
Businesses will be required to make disclosures about their personal data processing activities, the rights of consumers and how they can exercise it.
Businesses are obligated to provide clear and accessible privacy notice that includes the following information:
- Categories of personal data collected
- Categories of third parties and the categories of personal data shared with them
- Purpose of processing personal data
- Disclosure if a business sells personal data to third parties or processes it for targeted advertising
- Method to opt-out of any sale or processing of personal data
- Information about how consumers can exercise their rights
- Reliable means for consumers to submit requests and follow up
Responsibilities of Data Controller
Notably similar to GDPR, CDPA also defines two different types of data-handlers - 'processors' and 'controllers'. A controller is defined as a “natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data” and a processor is a “natural or legal entity that processes personal data on behalf of a controller”.
CDPA sets forth a range of responsibilities for the controller in regards to collecting and processing consumer’s data, that includes:
- Collecting only personal data that is adequate, relevant and necessary for the purposes for which the data is processed and disclosed to the consumer
- Obtaining consumer’s consent if data is neither reasonably necessary nor compatible with the purpose already disclosed to the consumer
- Establishing and implementing reasonable administrative, technical and physical data security measures “to protect the confidentiality, integrity, and accessibility of personal data”
- Processing sensitive data only after obtaining consumer’s consent or in case of a child, getting parental consent in accordance with Children's Online Privacy Protection Act
- Complying with the requests from consumers, including informing the consumer of any action taken in response to a request, within 45 to 90 days of receiving a request
- Establishing a process for a consumer to appeal a businesses refusal to take action on a request and an online mechanism to submit such appeals
- Setting up an online or offline mechanism for the consumer to submit a complaint to the Attorney General in case if the appeal is denied
CDPA requires the controllers to seek consent from the consumers when processing sensitive data. Consent is defined as a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement” to process data. This opt-in approach to consent under CDPA shares many commonalities with the consent standard established by GDPR.
Responsibilities of Data Processor
CDPA also establishes a set of rules and regulations for processors of data to assist the controller in meeting obligations, including:
- Signing a binding contract that will clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both controller and processor
- Providing appropriate technical and organizational measures to fulfill the controller's obligation to respond to consumer rights
- Assisting the controller in relation to the security of processing the personal data and in relation to the notification of a breach of security
- Providing necessary information to enable the controller to conduct and document data protection assessments
Data Protection Assessment
Similar to CPRA, CDPA requires businesses to conduct data protection assessment of activities involving the processing of personal data such as processing for targeted advertising, sale of personal data, profiling (for specified instances), processing of sensitive data, and any other processing activities involving personal data that “present a heightened risk of harm to consumers.”
Data protection assessments are mandated to identify the benefits that “may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public” against the potential risks of data processing, so that safeguards can be employed by a business to reduce such risks.
- CDPA mandates that businesses collect personal data limited to only what is necessary for the business and provides consumers with a range of new rights on how businesses can use their data.
- Borrowing from GDPR, CDPA requires businesses to obtain affirmative consent before collecting or processing sensitive data from consumers.
- Consumers have the right to not only opt out of the sale of their personal data but also opt-out from the data being used for targeted advertising and profiling.
How Should Businesses Prepare for CDPA?
While CDPA will not go into effect till January 2023, businesses should start taking proactive steps towards data privacy and compliance. As the privacy landscape in the United States is constantly evolving, it is imperative that businesses are always compliance-ready.
Consider implementing the following strategies:
- Determine if CDPA applies to your business
- Conduct data inventory and data mapping of all data that is collected, processed and shared
- Implement mechanism for data security to protect and secure consumer’s data
- Add clear opt-in forms before or at the time of data collection
- Provide cookie consent forms
CookieYes is a cookie consent solution for your website that will help you to comply with data protection laws like GDPR, CCPA and CDPA. You can easily add a fully customizable cookie consent banner and make it available in 24 languages.
CookieYes will automatically scan your website for cookies and add it to your site’s list of cookies. You can automatically block 20+ third-party cookies including cookies from Google Analytics, Facebook Pixel, Hotjar, and YouTube until you get user consent.
Sign up for free today!