Earlier this year, Virginia passed a state privacy law set to take effect in January 2023: the Virginia Consumer Data Protection Act, or CDPA. Anyone familiar with the GDPR will recognize several portions of the CDPA which were clearly influenced by European data privacy regulations. Meanwhile, other portions of the CDPA stick closer to privacy laws passed by other states. But Virginia’s privacy law also makes at least one significant change in its requirements for handling consumer information. Let’s take a look at what this new law entails.

What Companies Does the Virginia CDPA Cover?

Any company that has customers based in Virginia, regardless of where the company itself is based, can fall under the CDPA’s jurisdiction. These companies are subject to the CDPA if one of these conditions are met:

• The company processes or controls at least 25K consumers’ personal data AND earns more than 50% of their gross revenue from selling this information to other parties
• The company processes or controls at least 100K consumers’ personal data in a single calendar year

Non-profits, medical organizations under HIPAA, and financial organizations under the GLBA are not included in this list. Like most privacy laws, the CDPA is primarily concerned with large private companies and their usage of customer information.

Company Responsibilities Under the CDPA

The CDPA requires companies to handle customer data in a secure, respectful manner and to respect users’ rights. The law lays out several responsibilities for any company under its jurisdiction:

• They must use a trustworthy security system to keep user data confidential and secure
• They may only collect user data that is relevant and necessary for their purposes, and may not collect more than the bare minimum that they need
• They may only process user data for their publicly stated purposes
• They must obtain explicit consent before processing sensitive personal information
• They may not process user data in a discriminatory manner or for discriminatory purposes
• They must disclose whether they sell user data to third parties or use data for targeted ads, and clearly explain how users can opt-out if desired
• They must provide at least one simple way to submit an opt-out request, and cannot require that users create a new account to submit their request
• They must respect users’ right to know how their data is handled, including:
  • The personal data required
  • The purposes for processing
  • What personal data is shared with third parties
  • What third parties receive shared personal data
  • How to exercise their consumer rights
• None of the users’ rights established in the CDPA can be waived through a contract or any other means

Consumer Rights Under the CDPA

The CDPA establishes two categories of consumer rights: Data Subject Request (DSAR-related) rights and data processing rights. For data processing rights, the law states the following:

• Consumers have the right to access, correct, delete, or transfer their personal data
• Consumers have the right to know how their data is being processed and by whom
• Consumers may opt-out of data processing for the purposes of profiling, targeted ads, or sale of their personal data to third parties

Consumer rights during the DSAR process are as follows:

• Consumers have the right to submit up to two DSARs annually, both free of charge
• Consumers are entitled to a response to their request within 45 days of submission. A 45-day extension is permitted if required with advance notice to the consumer
• If a DSAR is denied, customers have the right to be informed within the 45-day window. They also have the right to know why their request was denied and how to appeal
• If consumers appeal a DSAR denial, they are entitled to a response within 60 days of submission

Opt-In vs Opt-Out Requirements for Sensitive Personal Data

Privacy laws define sensitive personal data as information of a more private nature to the customer. Examples include:

• Political tendencies
• Ethnicity
• Religious beliefs
• Physical or mental health history
• Citizenship
• Genetic information
• Specific geographic location
• Information related to any children the user has

This is an added layer of protection for sensitive data. Rather than only allowing customers to opt-out of providing this information, as California’s CPRA  does, Virginia requires companies to obtain explicit consent to collect and process this information in the first place. Companies are also required to obtain explicit consent to process sensitive personal information for strictly unnecessary purposes.

This is a significant departure from the conventional opt-out requirements codified in several existing US privacy laws. Additionally, this makes it easier for a user to keep their personal data private. They will not be required to provide this information by default and then work through any opt-out process the company may have in place. Instead, they can simply choose not to provide the data to begin with. Future US privacy laws may take a cue from this change and implement similar requirements themselves.

A Significant Step for Privacy Regulation

The passing of the CDPA is just one more change in the privacy regulation landscape. And with new requirements, there’s plenty for companies to keep track of. We’re proud to offer a solution: 4Comply, our specialized privacy software that allows you to easily handle customer data based on their local regulations. Keep your marketing strategy legally in the clear with our help! Contact us today for more information.