As if remembering the names and acronyms of established data protection regulations wasn’t difficult enough as it is, many organizations that control or process personal information of Virginia residents now have to remember yet another one: Virginia’s Consumer Data Protection Act, or CDPA for short.
After the California Consumer Privacy Act (CCPA), which was passed in 2018, it’s the second sweeping data protection regulation to pass in the United States. It grants consumers rights to control how their data is processed for purposes of:
- Targeted advertising
- Sale to various third parties
- General profiling
The CDPA went into effect in January 2023, so those impacted by it should be compliant with it, or they face financial repercussions.
While the passing of the CDPA didn’t affect every organization in the United States, other similar data protection acts are expected to be introduced in the future. So, it makes sense to prepare early.
Here’s what you need to know about the Virginia Consumer Data Protection Act.
Who Does the CDPA Affect?
The CDPA affects all organizations that control or process the personal data of at least 100,000 Virginia residents in any calendar year.
It also affects organizations that control or process the personal data of at least 25,000 consumers located in Virginia and derive over 50 percent of gross revenue from the sale of their personal data.
CDPA exempts organizations that are already subject to regulations, including:
- HIPAA or GLBA
- Educational institutions
- Financial institutions
It’s important to note that employee data falls outside the scope of the Data Protection Act.
What Requirements Must Controllers Meet to Achieve Compliance?
In terms of requirements for controllers, the CDPA is far from revolutionary. In fact, organizations that already comply with other data protection regulations, such as GDPR, have very little to worry about.
Controllers in Virginia are given 45 days to respond to consumer requests, while controllers in the EU are given 30 days.
Perhaps the biggest direct impact of the CDPA is the requirement for controllers to perform data protection assessments on the following:
- The processing of personal data for purposes of targeted advertising.
- The sale of personal data.
- The processing of personal data for purposes of profiling when there is a reasonably foreseeable risk of
- (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- (ii) financial, physical, or reputational injury to consumers;
- (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
- (iv) other substantial injury to consumers.
- The processing of sensitive data.
- Any processing activities involving a heightened risk of “harm” to consumers.
In this regard, the CDPA is like Data Protection Impact Assessments, which are described in the GDPR’s Article 35.
Are There Any Penalties for Noncompliance?
Yes, there are. Penalties for noncompliance with Virginia’s Consumer Data Protection Act can reach up to $7,500 per violation, and the Virginia Attorney General will enforce them.
Organizations that must comply with the CDPA received a grace period of 30 days to fix any potential violations after it took effect in January 2023.
Other states have implemented similar “right to cure” clauses in their data protection regulations in the past, and it’s likely that future regulations will keep implementing them as well.
Compliance Strategies for Virginia's Consumer Data Protection Act
Under the Virginia Consumer Data Protection Act, residents now have extensive rights regarding their personal data. It’s crucial for your organization to comply with these regulations. Failure to do so can result in legal actions, financial penalties, and harm to your reputation.
To ensure compliance and capitalize on the benefits of robust data management, consider proactively engaging with compliance professionals. They can provide invaluable assistance in navigating these requirements, from conducting thorough compliance audits to implementing effective risk management strategies.
This approach not only helps avoid legal pitfalls but also strengthens your commitment to data protection, enhancing customer trust and organizational integrity.