The year 2023 is shaping up to be few important to business who operate at a national level. Last November, California amended it’s California Consumer Privacy Act with several changes, all of which are slated to begin enforcement in 2023. This past week on March 2nd, Virginia signed on to making that date more meaningful, with it’s own data privacy law, the Consumer Data Protection Act also slated for enforcement in 2023.
This is noteworthy, as it becomes the second state to pass such a strong privacy law. With that said, it does draw much of it’s text and concepts from template the original California Consumer Privacy Act which was signed into law in 2018 and began enforcement in 2020.
The IAPP has a good writeup of the primary differences between Virginia’s CDPA and California’s CPRA laws. Still, I am not a lawyer and strongly recommended that if you do business with residents of Virginia, that you seek legal counsel to understand your risks and actions you may have to take prior to 2023.
I feel some things are worth calling out specifically:
- The law seems to affect Virginia residents if the company targets 100,000 customers during a calendar year, or controls / processes the personal data of at least 20,000 consumers and derive at least 50% of its gross revenue from sale of personal data. This means that the law lacks the revenue thresholds of the CPRA.
- The term consumer does not apply to a person acting in a commercial or employment context. This is in contrast to the CPRA.
- “Sale of personal information” is clearly defined as “the exchange of personal data for monetary consideration by the controller to the third party” it also excludes 5 different kinds of data such as “disclosures to processors”. This reads to me as more akin to the original definitions of the CCPA from the 2018 law.
- There are 14 different exemptions for types of data are that excluded from being covered by the law.
- The CDPA does contain the standard array of rights which have become commonplace in privacy law: Right to Access, Right to Correct, Right to Delete, Right to Data Portability, Right to opt out and Right to Appeal.
- The right to opt out is noteworthy – in that by opting out, they consumer is denying the ability to process their data for: targeted advertising, sale of personal data or profiling in advancing decisions that produce legal or significant effects.
- The law reads that the data controller must respond with-in 45 days. They can extend it once by an additional 45 days as long as they tell the consumer. The data controller must comply, regardless of hardship. If they decline to take action on a verified request, the consumer can appeal. The controller has 60 days to process the appeal. If the appeal is denied, the data controller must provide direction on how to contact the Virginia Attorney General to submit a complaint.
- The data controller is required to “Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue“.
- Limits on data include “adequate, relevant and reasonable necessary in relation to the purpose for which is it collected” and states that once collected the the controller may not use that for a different purposes which are not required or compatible with the disclosed purpose.
- A Data controller must document a data protection assessment for each of the following activities: processing of personal data for targeted advertising, sale of personal data, processing of personal data for profiling, processing of sensitive data and processing any activities which involve personal data that present a heightened risk of harm to consumers.
- There private right to action. The Virginia Attorney General can investigate claims and must provide a 30 day cure notice. If after that time the violate remains in effect the Attorney General can fine up to $7500.00 per violation.
- The law also establishes a consumer privacy fund, and directs the formation of a workgroup to best figure out how to enforce said law, which must be submitted no later than November 1st, 2021.
So this will remain a evolving situation until at least the end of 2021. Still, it’s be to be proactive and consult with legal as to what requirements your organization may be subject to early. Maybe you’ll find out you fall under one of the 14 exemptions. Maybe you’ll find that you need to understand a shift in business strategy. One thing however is clear, now companies which do business in California and Virginia have to update processes prior to Jan 1st 2023, and with different definitions under each law organizations will need to determine if they want to align to the more stringent law, or fork their data collection and usages flows dependent on where the consumer lives.