Governor Ralph Northam has signed into law the Virginia Consumer Data Protection Act (CDPA). CDPA mandates persons doing business in the Commonwealth of Virginia to follow new data privacy and security standards. The CDPA will take effect on January 1, 2023.
The CDPA has some of the privacy and security conditions of the EU’s General Data Protection Regulation (GDPR) that was enforced on March 25, 2018, and the California Consumer Privacy Act (CCPA) that became effective on January 1, 2020. Although there are commonalities between the GDPR and the CCPA, there are a few dissimilarities, therefore compliance with either the CCPA or the GDPR doesn’t ensure CDPA compliance.
As the CCPA, the CDPA is only applicable to organizations that manage or process considerable amounts of consumer data, with the data threshold two times as high as the CCPA, albeit there is no minimum revenue threshold in the CDPA.
The CDPA is applicable to any individual or business that:
- Handles or processes the personal information of 100,000 or higher Virginia residents in a calendar year; or
- Manages or processes the records of at least 25,000 Virginia residents within a calendar year and additionally obtains 50% or higher of its gross income from the sale of personal information.
Exemptions from the Virginia Consumer Data Protection Act
Entities currently covered by particular Federal laws with data privacy and security terms are exempt from compliance with the CDPA. Entities covered by these regulations are exempted:
- The Gramm-Leach-Bliley Act (GLBA)
- The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA-and GLBA-covered entities are completely exempt, not just for data obtained that is covered by the specific acts, but also any other information which would in any other case be protected by the act.
There are additional exceptions for data covered by the:
- Children’s Online Privacy Protection Act (COPPA)
- Drivers Privacy Protection Act
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act
- Farm Credit Act
- Personal information processed in career contexts
Other entities exempt from CDPA compliance include:
- Any body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision
- Nonprofit groups
- Higher education establishments
Virginia Consumer Data Protection Act Requirements
The CDPA covers the personal data of any consumer who is a natural person who is a resident of the Commonwealth acting solely in an individual or household context, yet not if they are operating in a commercial or work context. The personal data definition is any information that is connected or reasonably linked to an identified or identifiable natural individual.
The CDPA doesn’t apply to deidentified data nor to data in the public domain. Public domain data is defined as information that a business has an acceptable basis to think is legally provided to the general public via extensively distributed media, by the consumer, or by an individual to whom the consumer has shared the data except if the consumer has limited the information to a particular audience.
CDPA forbids covered entities from selling personal information without permission, with sale described as the trade of personal data for a monetary reason by the controller to a third party.
CDPA sets limitations on data collection, restricting information to what is sufficient, appropriate and reasonably required with regards to the purposes for which the data is processed. Data may just be utilized for functions that are reasonably essential and works with the purposes that consumers have permitted.
Covered entities need to ensure that reasonable technical, administrative and physical safeguards are applied to protect any information obtained or processed, and data controllers should perform data protection checks, though the frequency that tests must be performed isn’t outlined.
The Consumer Rights of Virginia Residents Under CDPA
View the personal information kept by a covered entity.
Correct mistakes in the personal data stored by a covered entity.
Remove personal information kept by a covered entity.
Get a copy of the personal data stored by a covered entity.
Opt-out of processing of personal information for targeted advertising reasons.
Appeal the denial of a business to take action on a request within an acceptable time frame (45 days). A reply to any appeal ought to be given in 45 days.
Penalties for Noncompliance with the CDPA
There is no private right of action as per the CDPA, thus consumers cannot take legal action against a business when they think their CPDA rights were violated. The Virginia Attorney General enforces compliance and can issue a fine of around $7,500 per violation. Nevertheless, the state Attorney General should give businesses the opportunity to correct or “cure” the violation, with financial fines applying only if those violations were not “cured” within one month.