Why is this law important?
Any consumer that is willing to engage with a business online has an expectation of basic trust when it comes to their personal information. The consumer believes that the business will handle their personal information with due care. In turn, businesses need to gather some amount of information about their consumers or potential consumers so they can market their products and services. It then becomes critical to implement sound data protection practices in order to demonstrate to their customers that the business can be trusted with their personal data.
In the United States, there are five states – California, Colorado, Connecticut, Utah, and Virginia that have enacted comprehensive consumer privacy laws, and others are in the pipeline. The US has long had various industry specific data privacy laws at the Federal level (such as healthcare, credit card, banking and defense), and is now considering enacting a general Federal law for data privacy. In Europe, businesses are held to a stricter standard of care for handling personal information, and the General Data Protection Regulation (GDPR) has been in place for years. GDPR describes the requirements that businesses must meet if they store or process personal data of European residents. GDPR has set the bar as the international standard for most other countries’ data privacy regulations that have come after it. The Virginia Consumer Data Protection Act (CDPA) is based upon some of the same principles as GDPR, and the CDPA will be the focus of this blog as it is set to go into effect on January 1, 2023.
Building a privacy policy to comply with CDPA is not far from what organizations are doing today to adhere to the California Consumer Privacy Act (CCPA). Beyond the requirements set forth in the regulations, the challenges a business faces are both technical and operational. Implementing the right technology in support of a privacy program is difficult to navigate. Also, convincing members of your business to change processes to comply with privacy regulations is one of the harder things that organizations do in their privacy journey. BD Emerson has expertise in both of these areas, and we have partnered with organizations ranging from mature Fortune 100 companies to startups that know they will need to comply comprehensive privacy laws in short order.
What are the obligations for businesses under the CDPA?
- Transparency: The business must be transparent with consumers in how they handle consumers’ personal data and explain how the business works with third-party vendors whenever it involves personal data.
- Limiting data collection: Businesses must limit information and data collection to what is adequate, relevant, and reasonably necessary to run the business. The CDPA extends to both online and offline data collection practices.
- Limiting purpose: The business must process personal information and data only for purposes that are compatible with the purposes disclosed to the consumer.
- Maintaining security protocols: The business must establish, implement, and maintain security measures that are reasonably required to protect consumers’ personal data. New assessment measures may be required.
- Avoiding discrimination: Businesses cannot process personal data in a way that violates state or federal anti-discrimination laws. In addition, businesses are generally prohibited from discriminating against a consumer for exercising their rights under the CDPA.
- Obtaining consent: The business is required to obtain consent for the processing of personal data. Express consent is particularly important when processing sensitive data, handling children’s data, or deviating from a previously disclosed purpose.
How do I know if I need to comply?
The criteria for businesses to comply with provisions of the CDPA:
- Conducts business in Virginia or markets their goods and services to Virginia residents.
and Either:
- Controls or processes the personal data of at least 100,000 Virginia residents; or
- Controls or processes the personal data of at least 25,000 Virginia residents and derive more than 50% of their gross revenue from the sale of personal data.
Excluded entities:
- Organizations acting in commercial or employment contexts;
- Protected health data that is covered under the Health Insurance Portability and Accountability Act (HIPAA);
- Personal data regulated by the Family Educational Rights and Privacy Act (FERPA);
- Information and data related to credit reports, as regulated by the federal Fair Credit Reporting Act (FCRA);
- Information and data related to vehicle driver information, as regulated by the federal Driver’s Privacy Protection Act of 1994; and,
- Information and data subject to Title V of the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.), which largely regulates banks and financial institutions.
Sensitive data:
Organizations subject to CDPA must obtain consent prior to collecting and processing certain categories of sensitive personal data, such as:
- Personal data including "racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status";
- Biometric data used "for the purpose of uniquely identifying a natural person";
- Data collected from a known child; and,
- Precise geolocation data.
CDPA requires that businesses only hold the pieces of data they need for a specific purpose and necessary to achieve that purpose; these principles are commonly referred to as purpose limitation and data minimization. The CDPA also requires companies and organizations implement and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data.
How does CDPA define consumers?
The CDPA defines a 'consumer' as a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.
Consumer rights within the CDPA
The CDPA affords consumers with the following rights:
- The right to know, access and confirm personal data.
- The right to delete personal data.
- The right to correct inaccuracies in personal data.
- The right to data portability (i.e., easy, portable access to all pieces of personal data held by a business).
- The right to opt out of the processing of personal data for targeted advertising purposes.
- The right to opt out of the sale of personal data.
- The right to opt out of profiling based upon personal data.
- The right to not be discriminated against for exercising any of the foregoing rights.
How does CDPA define consent?
The CDPA defines 'consent' as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, which may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
Penalties for violations of the CDPA
Enforced by the Virginia Attorney General and allows for a 30-day cure period, but uncured non-compliance can result in a civil penalty of up to $7,500 per violation as well as attorney’s fees.
What is needed to comply with CDPA and how can BD Emerson help?
Organizations should begin reviewing and maintaining their personal data processing activities, data security measures, and data inventories, as well as establishing some baseline process for identifying the risk of processing activities, privacy policies, and service provider contracts. Businesses should be able to demonstrate their compliance with notice, data minimization, and data protection assessment requirements.
BD Emerson uses OneTrust - The Unified Platform to Manage Governance, to build privacy enforcement programs, which includes the following functions:
- Discover: Identify what personal data the business has and where it resides.
- Map: Determine how the business shares personal data with third parties.
- Manage: Govern how personal data is used and accessed. Govern relationships with vendors.
- Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
- Document: Document a data breach response program.
- Assess: Conduct assessments of the business’s security and privacy measures.
- The CDPA provides that a business must conduct a data protection assessment for each of the following processing activities involving personal data:
- the processing of personal data for purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling,
- the processing of sensitive data; and
- any processing activities involving personal data that present a heightened risk of harm to consumers.
The current federal privacy laws and regulations force businesses to undertake major efforts to fully comply and protect their customers’ data. To see if your business is covered by the CDPA and how its components could affect your business operations, contact us at BD Emerson to help guide you through the analysis and any necessary changes.