The Consumer Data Protection Act (CDPA) is a Virginia law that can affect businesses across the United States and beyond. It's arguably one of the strongest privacy laws in the United States when it comes to establishing and protecting consumer rights.
The law sets out specific ways in which businesses must respect and uphold these rights.
In this article we'll take a look at the rights granted by the CDPA and what you must do to uphold and facilitate these rights.
- 1. Basics of the CDPA
- 1.1. Scope
- 1.2. Exemptions
- 1.3. Penalties for Non-Compliance
- 2. What are the CDPA Consumer Rights?
- 2.1. The Right to Know
- 2.1.1. Timeline
- 2.1.2. Costs
- 2.1.3. Consent
- 2.2. The Right to Correct
- 2.3. The Right to Delete
- 2.4. The Right to Transfer
- 2.5. The Right to Opt Out
- 2.6. The Right to Exercise Rights
- 3. Other Requirements of the CDPA
- 3.2. Implement Data Processing Agreements
- 3.3. Conduct Data Protection Assessments
- 3.4. Adequately Secure Personal Data
- 4. Summary
Basics of the CDPA
The CDPA, which takes effect from 1 January 2023, covers businesses handling personal data about consumers. Unlike with laws such as Europe's GDPR, the revenue of the business doesn't matter.
Instead the key threshold is that the business handles personal data about more than 100,000 Virginia consumers in a calendar year. If the business makes more than half its gross revenue by selling personal data, the threshold falls to 25,000 consumers.
Personal data means any information about an identified or identifiable individual. However, the CDPA only covers information about people "acting only in an individual or household context."
It doesn't cover business-to-business or employer-employee contexts. Neither does it cover information which the individual has already made public, or which has been deidentified (anonymized).
The main exemptions are:
- Businesses that are already subject to a relevant federal privacy rule such as HIPAA for medical information. This exemption covers the business completely rather than just applying to data that comes under the relevant federal rule.
- Businesses that are outside of Virginia and don't target Virginia consumers. This exemption will rarely apply to U.S. businesses because "target" simply means offering products or services to Virginia consumers. It doesn't mean you prioritize customers in Virginia over any other location.
Penalties for Non-Compliance
The CDPA doesn't let consumers take legal action, for example through civil cases. However, the Virginia Attorney General has the power to give a business 30 days to correct any violation.
If the business doesn't meet this deadline, the Attorney General can issue a fine (specifically a civil penalty) of $7,500 per violation. As each affected individual counts as a separate violation, this could soon mount up.
What are the CDPA Consumer Rights?
The CDPA specifically creates some legal rights for consumers in Virginia. While the law lists particular requirements for businesses, you must know and understand these rights.
Because the rights are set out in law, officials may take them into account when settling any dispute or ambiguity about the specific requirements placed on business. This means the safest approach is to avoid looking for loopholes and instead always ask yourself if the way you handle data respects these rights.
Where relevant, the rights cover data processed in the 12 months before the consumer exercises the right. This means you'll need to keep accessible records of personal data you process from 1 January 2022 at the latest.
Let's take a look at each of these rights in turn.
The Right to Know
Consumers have the right to know whether a business is processing their personal data and, if so, to access that data. The CDPA doesn't specify how consumers can or must make an access request, other than to say you must take into account the normal ways in which you communicate with one another.
AQA clearly explains how to make a data access request and what will happen when one is made:
When a consumer makes a data access request, you must follow a strict timeline. Within 45 days you must do one of the following:
- Meet the request
- Ask to extend the deadline to 90 days (You can only do so if you have good reason)
- Ask for more information if you need it to meet the request
- Refuse the request because you can't meet it using "commercially reasonable means"
If you refuse the request, you must tell the consumer they can appeal your decision. If they do so, you have 60 days to respond to the appeal and then tell the consumer they can lodge a complaint with the Virginia Attorney General.
In all cases you must respond as soon as practical. You must not intentionally delay a response even if you are still within a deadline.
The first two times a consumer exercises this right in the same year, you cannot charge them to respond.
Responding to a third or further request in a year can only carry a charge if the request is "manifestly unfounded, excessive and repetitive." The charge can only be administrative, meaning it covers your actual costs in responding.
The CDPA doesn't require consent to use personal data in most cases. However, the consumer must be aware what data you use and how. If they don't know about the data use, you are breaching their right to know and thus the data use is unlawful.
The two situations where you do need consent are:
- You are already using personal data, but want to start using it for a new purpose that you haven't previously told the consumer about.
You want to use sensitive personal data. This includes:
- A diagnosis of physical or mental health
- Any personal data that you know is about a child
- Genetic or biometric data that identifies somebody
- Information about ethnic or racial origin
- Information about immigration status of citizenship
- Information about religious beliefs
- Information about sexual orientation
- Precise geolocation data
The Right to Correct
Consumers have the right to correct any inaccuracies in the personal data a business holds about them.
The CDPA says this right takes "into account the nature of the personal data and the purposes of the processing of the consumer's personal data."
What effect this wording has may depend on future guidance and Virginia Attorney General rulings. It's possible it means the Attorney General is less likely to impose a penalty for failing to promptly correct a trivial inaccuracy than one which has a harmful effect on the consumer.
Takeda explains how and when it will correct data:
The Right to Delete
Consumers have the right to demand that a business delete the personal data it holds about them. This applies regardless of where you got the data.
Exactly when you must meet this demand has yet to be fully established. It may become clearer as officials develop more guidelines before the law takes effect, or after the Attorney General begins enforcing the law and ruling on specific cases.
That said, the law does specifically say you must only collect data that is necessary and relevant for the stated purpose. It's highly likely you'll need to meet a demand to delete data that is no longer necessary or relevant for this purpose. You can't hold on to data simply because you might need it later on, or because you plan to use it for a new purpose.
It's also likely that you'll be allowed to refuse a deletion request if you need to keep the data to prevent fraud or other security risks, or if you have a legal obligation to keep the data.
The Right to Transfer
Consumers have the right to get a copy of the personal data they have provided to a business. This must be in a readily transferable form. It's the same right that other laws call "data portability."
The general principle is that, as far as technically feasible, you should provide data in a format that the consumer can provide to another data controller. For example, they may want to take their records to another business.
Unlike with the other rights, this right only covers data the consumer has provided. It doesn't cover data that you hold about them but obtained from another source.
The Right to Opt Out
Consumers have the right to opt out of their data being used in any of three ways:
- Selling the data, specifically meaning an exchange for money (Sharing data or passing it on to an affiliate isn't covered by the opt-out)
- Using the data for targeted advertising
- Using the data for profiling (sometimes called automatic decision making) that creates a legal or other significant effect
This right is absolute. It doesn't matter if you think it is unreasonable or will cause you too much trouble or financial loss to comply with such an opt-out.
As the opt-out is a legal right, you shouldn't impose any conditions or requirements that make it harder to exercise the right or deter the consumer from doing so.
The Right to Exercise Rights
Businesses cannot discriminate against a consumer who exercises any of their CDPA rights. Discriminating could mean refusing to serve the consumer or charging higher prices compared with other customers. It could also mean threatening to do either of these things.
The main exception to this right is that you can charge lower prices or offer free goods or services to people who've provided data through a legitimate loyalty program, rewards card or similar program.
Consumers must exercise their rights individually. You don't have to respond to a group, such as a consumer rights body, exercising rights on the individual's behalf.
Other Requirements of the CDPA
The CDPA has several other specific requirements for businesses. Remember that when following these requirements, you should consider if and how you are respecting the consumer's rights under the law.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- How consumers can exercise their CDPA rights and appeal against your decisions
- What personal data you collect, broken down into logical categories
- What personal data you share, broken down into logical categories
- Whether you carry out targeted advertising using personal data, and how the consumer can opt out
- Whether you sell personal data, and how the consumer can opt out
- Who you share personal data with, broken down into logical categories
- Why you collect or use personal data (the purposes)
Phonak uses a good balance of categories of data that it collects, informing the user without going into overwhelming detail:
Conversant Media already has a mechanism for opting out of data sales to comply with California's CCPA. Remember that Virginia's CDPA defines "sales" more narrowly, so an opt-out only has to cover selling the data for money:
Dodd Accountants uses a clear chart to show the purposes for which it uses different types of personal data:
Note that the explanation of the lawful basis for each type of processing (designed for Europe's GDPR) isn't necessary to comply with the CDPA.
Implement Data Processing Agreements
If you use a third party to process data on your behalf (and in line with your instructions), you are known as the data controller and they are the data processor.
The CDPA says you must have a binding "data processing agreement" with them that includes the following:
- Clear instructions on what to process and how
- The data processor's duty of confidentiality
- A requirement for the data processor to delete or return data when they have finished providing services
- A requirement for the data processor to give you any information you need to show they've followed the law, and to cooperate if you carry out an audit or assessment of this compliance
- A clause saying the data processor will have a similar data processing agreement with any sub-contractors
Conduct Data Protection Assessments
You must carry out a data protection assessment before doing any of the following things, which could infringe a consumer's CDPA rights:
- Processing personal data for profiling that could harm the consumer
- Processing sensitive personal data
- Processing that creates a "heightened risk of harm" to the consumer
- Selling personal data
- Using personal data for targeted advertising
The data protection assessment should consider the risks of the action and what steps you can take to mitigate the risk. You should keep a copy of the data protection assessment as it may count in your favor if the Virginia Attorney General later investigates a complaint about the action you took.
Adequately Secure Personal Data
The CDPA says you must adequately secure personal data. The aim is to make sure it remains accessible, complete and confidential. While the CDPA doesn't give specific instructions for how to do this, you should use a combination of technical, physical and administrative measures.
Let's recap what you need to know about consumer rights under the CDPA:
- The CDPA is a Virginia law taking effect on 1 January 2023. It covers most businesses that handle personal data about more than 100,000 Virginia consumers in a calendar year.
- Breaching the CDPA and failing to correct the breach within 30 days can lead to a fine of up to $7,500 per violation.
The law specifically sets out rights for consumers in Virginia:
- To know what data you hold about them and how you use it (You have 45 days to respond when asked and you can't normally charge to do so.)
- To correct inaccuracies in the data
- To demand you delete data (for example, when no longer needed for the stated purpose)
- To transfer the data to somebody else
- To opt out of you selling their data, using it for targeted advertising, or using it for profiling that creates a legal or other significant effect
- To exercise these rights without discrimination
The CDPA also says you must:
- Have a binding agreement with anyone you use to process data on your behalf that covers how they'll uphold the CDPA
- Carry out a data protection assessment before taking actions that could increase the risk of harm to consumers (such as selling data or processing sensitive personal data)
- Secure data against loss, alteration or unauthorized access