- 1. Does the CDPA Affect Your Business?
- 1.1. Virginia Consumer Data
- 1.2. Targeting Consumers
- 1.3. Are you Exempt From the CDPA?
- 3.1. "The Categories of Personal Data Processed by the Controller"
- 3.2. "The Purpose for Processing Personal Data"
- 3.3. "How Consumers May Exercise Their Consumer Rights [Under the CDPA] Including How a Consumer May Appeal a Controller's Decision With Regard to the Consumer's Request"
- 3.3.1. Means of Communication
- 3.3.2. Timescale, Costs and Appeals
- 3.4. "The Categories of Personal Data that the Controller Shares With Third Parties, if Any"
- 3.5. "The Categories of Third Parties, if any, With Whom the Controller Shares Personal Data"
- 3.6. Additional Information
- 5. Summary
Does the CDPA Affect Your Business?
The CDPA has passed into law and its measures will take effect from 1 January 2023. The delayed implementation is partly to make sure affected businesses have no excuse for failing to comply from this date. The scope of the law is based on one key threshold but has several exemptions.
Virginia Consumer Data
The main threshold for having to comply with the CDPA is that you are a data controller responsible for the processing of personal data of more than 100,000 Virginia consumers each year. This threshold reduces to 25,000 if you make more than half of your gross revenue from selling personal data.
Being a data controller means you make the decisions about what data to process and how. If you are merely a data processor working on behalf of a data controller and following their instructions, you are not directly responsible for complying with the CDPA. However, you must have a data processing agreement with the data controller that covers how you will help them comply.
Note that the CDPA and its eligibility threshold only cover consumer data. It doesn't cover data from business-to-business relationships or data about your staff in an employment context.
The CDPA only applies to businesses that "target" Virginia consumers, regardless of the business's location. This means you wouldn't be covered simply because you had a website that, by the nature of the internet, is inherently available to view in Virginia.
On the other hand, "target" doesn't mean you aim your business solely or as a specific priority towards consumers in Virginia. It simply means they are among your intended customer base.
In practice, the 100,000 Virginia consumer threshold means the issue of targeting will rarely be the deciding factor in whether a business must comply with the CDPA.
Are you Exempt From the CDPA?
You are exempt from the CDPA if you are already covered by a federal privacy law, even if you meet the threshold to comply. Examples include HIPAA for health data and the Gramm-Leach-Bliley Act for financial institutions.
If you are covered by one of these laws, you are completely exempt from the CDPA. This differs from the California Consumer Privacy Act where the equivalent exemption is limited to specific types of data.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
"The Categories of Personal Data Processed by the Controller"
Unlike California's CCPA, the CDPA does not specify the categories you use when breaking down the data you collect.
This is a very good format for displaying information to users in a way that's easy to understand and well-organized.
"The Purpose for Processing Personal Data"
This means telling customers why you will collect or use their data. Unlike some laws, such as Europe's GDPR, the CDPA doesn't limit the purposes for which you can use data, as long as you list them.
Being complete and accurate here is important. Under the CDPA you don't need prior consent to collect or use data as long as you have informed the consumer about that processing. However, you do need consent to process the data for any other purpose, either immediately or later on.
The Stockholm International Water Institute gives clear explanations of its purposes for processing data in specific circumstances:
"How Consumers May Exercise Their Consumer Rights [Under the CDPA] Including How a Consumer May Appeal a Controller's Decision With Regard to the Consumer's Request"
- To know whether you process data about the consumer and, if so, to access it
- To correct any inaccuracies in the data
- To delete the data. (The CDPA doesn't set out any limits on this right, though these could be established in later guidance or rulings.)
- To get a copy of the data in a "portable" and "readily usable" format, where available, so the consumer can transfer it to another controller
- To opt out of their data being used for targeted advertising, being sold, or being used for profiling in a way that produces "legal or similarly significant effects"
Means of Communication
You must tell users how they can exercise these rights, for example what means they can use to contact you and what details they need to provide. You must offer at least one method that is "secure and reliable."
The CDPA doesn't specify the acceptable ways to exercise the rights but does say it should take into account how people normally interact with you. For example, if you have a customer support phone line or email address, it likely wouldn't be reasonable to say consumers can only exercise their CDPA rights by mail.
You can (and should) have a process for verifying a consumer's identity before providing any personal data in response to an access request.
Refinitiv provides a clear link to exercise data privacy rights and explains the verification process:
Timescale, Costs and Appeals
It makes sense to also list the timescales set out by the CDPA, which are as follows:
- Normally you must respond to an initial request within 45 days. Despite this deadline, you must respond "without undue delay."
- If you can't meet this deadline, you must inform the consumer within the original 45 days. You can then extend the deadline by a further 45 days.
- If you refuse to meet the request, the consumer can appeal your refusal. You must have a "conspicuous" process for them to do so. You then have 60 days to respond to the appeal. If you refuse the appeal, you must tell the consumer how to contact the state Attorney General to complain.
You cannot charge a fee for handling the first two requests a consumer makes in a year. For further requests you can only charge if you consider the request to be "manifestly unfounded, excessive or repetitive." Even if you do charge, the fee must be reasonable and only cover your administrative costs.
"The Categories of Personal Data that the Controller Shares With Third Parties, if Any"
To meet this requirement, you'll need to list any categories of data that you disclose, regardless of whether you receive a payment for it.
Snap uses clear categories and gives good examples and explanations:
"The Categories of Third Parties, if any, With Whom the Controller Shares Personal Data"
Again, this covers data that you disclose to a third party, regardless of whether you receive a payment for it.
The CDPA doesn't specify how you should categorize third parties. (This may be addressed in official guidance before the law's measures take effect.)
Our World In Data uses an effective mix of describing general categories of third parties and giving specific information about particular third-parties:
The CPDA says you must "clearly and conspicuously" state when you sell personal data to third parties or use personal data for targeted advertising. You must also tell consumers how they can opt out of such processing.
In this context, "sell" only means exchanging the data for money. Disclosing it without payment or in return for services does not count.
Let's recap what you need to know and do to comply with the CDPA's rules on Privacy Policies:
- The CDPA applies if you handle the personal data of 100,000 Virginia consumers in a year. The threshold is 25,000 if at least 50% of your revenue comes from selling data.
- The CDPA only covers personal data about consumers. It doesn't cover business-to-business or employer-employee contexts.
- The main exclusion is that you are covered by a federal law regarding data privacy.
- The CDPA explicitly requires you to have a "reasonably accessible, clear, and meaningful privacy notice."
- The categories of data you process
- The purposes for processing the data
How consumers can exercise their rights, which include:
- To know what data your process about them and to access it
- To correct inaccuracies
- To delete data
- To get a copy of data in a portable format
- To opt out of you selling their data or using it for targeted advertising of profiling
- How consumers can appeal against your decisions regarding exercising their rights
- The categories of data you share and the categories of third parties you share it with