Earlier this year, Virginia passed a state privacy law set to take effect in January 2023: the Virginia Consumer Data Protection Act, or CDPA. Anyone familiar with the GDPR will recognize several portions of the CDPA which were clearly influenced by European data privacy regulations. Meanwhile, other portions of the CDPA stick closer to privacy laws passed by other states. But Virginia’s privacy law also makes at least one significant change in its requirements for handling consumer information. Let’s take a look at what this new law entails.
Any company that has customers based in Virginia, regardless of where the company itself is based, can fall under the CDPA’s jurisdiction. These companies are subject to the CDPA if one of these conditions are met:
Non-profits, medical organizations under HIPAA, and financial organizations under the GLBA are not included in this list. Like most privacy laws, the CDPA is primarily concerned with large private companies and their usage of customer information.
The CDPA requires companies to handle customer data in a secure, respectful manner and to respect users’ rights. The law lays out several responsibilities for any company under its jurisdiction:
The CDPA establishes two categories of consumer rights: Data Subject Request (DSAR-related) rights and data processing rights. For data processing rights, the law states the following:
Consumer rights during the DSAR process are as follows:
Privacy laws define sensitive personal data as information of a more private nature to the customer. Examples include:
This is an added layer of protection for sensitive data. Rather than only allowing customers to opt-out of providing this information, as California’s CPRA does, Virginia requires companies to obtain explicit consent to collect and process this information in the first place. Companies are also required to obtain explicit consent to process sensitive personal information for strictly unnecessary purposes.
This is a significant departure from the conventional opt-out requirements codified in several existing US privacy laws. Additionally, this makes it easier for a user to keep their personal data private. They will not be required to provide this information by default and then work through any opt-out process the company may have in place. Instead, they can simply choose not to provide the data to begin with. Future US privacy laws may take a cue from this change and implement similar requirements themselves.
The passing of the CDPA is just one more change in the privacy regulation landscape. And with new requirements, there’s plenty for companies to keep track of. We’re proud to offer a solution: 4Comply, our specialized privacy software that allows you to easily handle customer data based on their local regulations. Keep your marketing strategy legally in the clear with our help! Contact us today for more information.