How to Comply with Virginia's CDPA

How to Comply with Virginia's CDPA

Virginia's new Consumer Data Protection Act (CDPA) means many businesses serving consumers in the state of Virginia will need to follow new rules on data privacy and handling. As with California's CCPA, the measures can affect businesses from outside the state.

Here's what you need to know and do to comply with the new rules.


The Background of the CDPA

The CDPA passed into law in March 2021 and its measures will take effect on 1 January 2023. In broad terms, it combines elements of Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Supporters of the CDPA argue that its measures take into account the differing levels of success enjoyed by different elements of other privacy laws. In particular, the CDPA aims to balance establishing and upholding consumer privacy rights with minimizing the burden on businesses.

Who is Covered by the CDPA?

The primary criteria and threshold for the CDPA is that it applies to businesses that process personal data of more than 100,000 Virginia consumers in the same year. This threshold is designed to cover business-consumer relationships so doesn't cover personal data about a business's own staff in an employment context.

The threshold falls to 25,000 if the business gets more than half of its gross revenue from selling personal data.

Unlike some privacy laws, the revenue of the business does not matter.

Exemptions to the CDPA

Even if a business meets the threshold, it will be exempt from the CDPA in some circumstances.

A business based outside of Virginia that does not "target" Virginia consumers is exempt. As a guideline, simply having a website that is accessible in Virginia does not automatically make a business subject to the CDPA. However, marketing products or services that are available to buy or order from Virginia would count as targeting Virginia consumers.

"Target" doesn't mean the business prioritizes getting Virginia customers over those in other states. Rather it means consumers in Virginia are among its intended audience or customer base.

Businesses that are already subject to a federal privacy scheme are exempt. Key examples include the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act for financial institutions, and HIPAA for health information.

Businesses that act in a Business-to-Business (B2B) role will be exempt in practice. This isn't an automatic exemption based on status, but rather a simple result of the fact such businesses won't meet the 100,000/25,000 consumer thresholds.

Key Definitions Under the CDPA

Key Definitions Under the CDPA

The CDPA defines several concepts and these definitions sometimes vary from those used in other privacy laws.

Personal Data and Consumers

The CDPA defines personal data as "any information that is linked or reasonably linkable to an identified or identifiable natural person."

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

This is an intentionally broad definition.

However, the law only covers personal data about consumers, defined as somebody "acting only in an individual or household context" and not "acting in a commercial or employment context." Again, this means the CDPA doesn't cover information about employees.

Sensitive Data

Like some other privacy laws, the CDPA has special rules for data classed as "sensitive."

This covers personal information that reveals any of the following:

  • Citizenship or immigration status
  • Mental or physical health diagnosis
  • Racial or ethnic origin
  • Religious beliefs
  • Sexual orientation

It also covers the following:

  • Biometric or genetic data used to identify somebody
  • Personal data collected from somebody you know to be a child
  • Precise geolocation data

Controllers and Processors

As with the GDPR, the CDPA has different rules for data controllers and data processors. It uses a similar definition, with controllers being the businesses that decide what data is collected and why. Processors are businesses that physically carry out processing on behalf of (and following the instructions of) a data controller.

Consumer Rights Under the CDPA

Consumer Rights Under the CDPA

The CDPA's express intention is to establish and uphold a series of consumer rights. These rights underpin the various requirements the CDPA places on businesses. Because the rights are expressly stated in the law, they may act as guiding principle if a court ever has to rule on the interpretation of the CDPA's specific measures.

The rights are as follows:

  • The right to know if a business is processing the consumer's personal data and, if so, to access it
  • The right to correct inaccuracies in personal data
  • The right to demand a business delete personal data (when such demands should be met is not firmly established yet)
  • The right to get a copy of the personal data in a form that the consumer can transfer to another data controller
  • The right to opt out of personal data being sold, being used for targeted advertising, or being used for profiling that produces a legal or significant effect

Data controllers cannot discriminate against a consumer for exercising these rights.

Requirements of the CDPA

Requirements of the CDPA

If you are a data controller subject to the CDPA you have several legal obligations. And data processors must follow the data controller's orders to make sure these obligations are met.

Data Access Requests

The CDPA sets out specific rules for the way consumers can exercise their rights. Any consumer can make two data access requests a year without charge. Any further requests must also be without charge unless you can show that the request is "manifestly unfounded, excessive, or repetitive." Even if this is the case, any charge must be reasonable and only cover administrative costs.

Once you receive a request, you must either respond within 45 days or, if "reasonably necessary", tell the consumer within 45 days that it will take longer. In the latter case, the final deadline for responding extends to 90 days.

Regardless of these two deadlines, you must always respond without undue delay: in other words, as soon as possible.

You can only refuse a request if it is not possible to do so using "commercially reasonable efforts." If you do not have enough information from the consumer, you must ask for it. If you do refuse a request you must say why and tell the user that they have the right to appeal your decision.

If the consumer appeals, you have 60 days to decide how to respond to this appeal and explain this response to the consumer. You must also give them details of how to complain to the Attorney General.

WRAP London explains how its customers can exercise their data rights. It would have been better with clearer language and explaining the term SAR (statutory access rights):

Wrap London Privacy Notice: Your Rights chart excerpt

A Privacy Disclosure/Privacy Policy

The CDPA says data controllers must publish a privacy notice, better known as a Privacy Policy. This must be "reasonably accessible, clear, and meaningful."

Your Privacy Policy must include the following information:

  • The categories of personal data that you collect
  • The purpose or purposes for which you collect and process data
  • The categories of personal data that you share with third parties
  • The categories of third parties with which you share personal data
  • How consumers can exercise their CDPA rights
  • How consumers can appeal against a decision you make regarding the exercise of CDPA rights
  • Whether you sell personal data to third parties and, if so, how to opt out
  • Whether you use personal data for targeted advertising and, if so, how to opt out

Unlike some privacy laws, the CDPA doesn't define how you class personal data and third parties into different categories. As the law stresses the need for the Privacy Policy to be clear and meaningful, you should strike a balance of going into enough detail to be informative but not having so many categories that the consumer may be overwhelmed.

VMWare shows an effective way to do this to comply with California's CCPA, listing the relevant categories defined by the law and then giving specific examples. Many businesses affected by both laws will find it easiest to use the same categories for CDPA compliance:

VMWare Privacy Policy: Your California Privacy Rights section - Category of Personal Information Collected chart excerpt

The CDPA doesn't mandate the ways in which you must accept opt out and access requests but suggests it should be in line with the normal ways consumers contact you. Until the law is tested in practice, it will probably be safer to accept requests in a variety of ways including email (or online form), physical mail and telephone.

The CDPA doesn't specify when consumers must see the information in your Privacy Policy. However, the requirement that the notice be "meaningful" means it is safest to have it readily available (for example, permanently hyperlinked on your website) and draw the consumer's attention to it either before or when they provide any personal data.

The Early Years Alliance highlights a link to its Privacy Policy on the page where people can sign up to its newsletter, which involves providing personal data:

Early Years Alliance email newsletter sign-up page with Privacy Notice link highlighted

Data Collection and Use

The CDPA says you must only collect personal data that is relevant and necessary for the purposes you state when collecting it. You must then only use it for the stated purposes. You cannot use it for any other purpose without specific consent.

Tennis Canada gives clear explanations of the various purposes for which it collects personal data:

Tennis Canada Privacy Policy: Identifying Purposes for collecting information clause excerpt

In most cases, the CDPA doesn't require consent before you use personal data, but rather that you merely make consumers aware of that use. As noted, you must get consent before using personal data for a purpose other than what you have already stated.

You must also get consent before collecting or using any personal data that falls into the sensitive category.

Data Controllers and Processors

For the most part, it's data controllers who are responsible for complying with the CDPA.

However, the CDPA says any data controller who uses a data processor must have a data processing agreement with them. This must give clear instructions regarding what data to process, how to process it, how long to process it for, and the respective rights and obligations of the data controller and data processor.

The CDPA says the agreement must include the following measures:

  • Anyone processing personal data must have a binding duty of confidentiality
  • The processor must delete or return the data "at the end of the provision of services"
  • The processor must provide any information necessary for the controller to be able to show the processor has followed the CDPA
  • The processor must cooperate with any assessment by the controller or contracted third party to check compliance with the CDPA
  • If the processor uses subcontractors, they must have their own data processing agreement that passes down the relevant responsibilities and obligations

Securing Data

The CDPA says you must take adequate security measures to make sure personal data remains confidential, accessible and complete. This should include administrative, physical and technical measures.

As the CDPA only sets out the minimum information you must include in a Privacy Policy, you can add detail about how you secure data, which will boost confidence and trust with customers.

Save The Elephants has a section to this effect in its Privacy Policy:

Save The Elephants Data Privacy Policy: How do we protect personal information clause

The CDPA also says you must also carry out a formal data protection assessment covering the way you process any of the following:

  • Sensitive personal data
  • Personal data you sell
  • Personal data you use for targeted advertising
  • Personal data you use for profiling
  • Personal data used in a way that creates a "heightened risk of harm to consumers"

The assessment should take into account benefits and risks for both you and the consumer, any safeguards you use, and the relationship you have with the consumer.

The conclusions you reach from the assessment don't necessarily have to decide whether you proceed with the processing. However, you must keep a record of the assessment.

If the Attorney General later investigates an alleged breach of the CDPA, they can demand a copy of the relevant data protection assessment. This could affect their conclusions of what responsibility you bear for the breach.

Penalties For Breaching the CDPA

Penalties For Breaching the CDPA

Unlike some privacy laws, consumers who allege a breach of the CDPA cannot take legal action themselves.

Virginia's Attorney General can order a business to correct any violation within 30 days. If the business does not do so, the Attorney General can impose a civil penalty with a maximum of $7,500 per violation. (Each individual affected by a breach counts as a separate violation.)

Summary

Let's recap what you need to know about Virginia's Consumer Data Protection Act:

  • The Act's measures take legal effect on 1 January 2023.
  • The CDPA affects businesses that target Virginia consumers and process the data of more than 100,000 Virginia consumers in a year. The threshold falls to 25,000 if the business makes more than half its annual revenue from selling personal data.
  • The definition of "target" is broad and simply means the business intends to have customers in Virginia.
  • The CDPA upholds five consumer rights:

    • To know what personal data you process about them
    • To correct inaccuracies
    • To demand you delete personal data
    • To get a copy of the personal data that they can transfer to another business
    • To opt out of you selling their personal data, using it for targeted advertising, or using it for profiling that creates a legal effect
  • If a consumer exercises these rights, you must respond as soon as possible, with a maximum of 45 days. If it will take more than 45 days you must tell the consumer and then respond within 90 days.
  • You can only refuse a request if you cannot reasonably do so. If this happens the consumer can appeal the refusal. You must respond to this appeal within 60 days.
  • You must publish a Privacy Policy covering:

    • What personal data you collect
    • Why you collect and use it
    • What personal data you share with third parties and who they are
    • How consumers can exercise their rights and appeal against your response
    • Whether you sell personal data to third parties and how to opt out
    • Whether you use personal data for targeted advertising and how to opt out
  • You don't need consent for using most personal data for the purposes stated in your Privacy Policy. You do need consent before using personal data for other purposes. You also need consent before using any personal data classed as sensitive.
  • If you use a data processor you must have an agreement in place that sets out rights and responsibilities and makes sure you continue to comply with the CDPA.
  • You must secure personal data against loss, unauthorized access or damage.
  • You must carry out a data protection assessment before processing personal data that is classed as sensitive; processing personal data that you sell; processing personal data that you use for targeted advertising or profiling; or processing that risks harm to the consumer. The state's Attorney General can ask to see this data protection assessment when investigating an alleged breach.
  • Consumers can't take legal action over CDPA breaches. The state's Attorney General can order you to fix a breach within 45 days. If you don't, the Attorney General can fine you $7,500 per violation.