Prepare for the CDPA: East Coast Meets West Coast as Virginia Signs Privacy Law21st Apr 2021 –
The state of Virginia recently voted to become the first state on the East Coast to enact a law governing how companies protect consumers’ personal data. The new law comes as tech giants face pushback from lawmakers and consumers over their handling of personal information.
The Virginia Consumer Data Protection Act (CDPA) bill was signed into law on 2 March 2021 and will go into effect in 2023.
Similar to the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), and even Europe’s GDPR, the CDPA is the latest development in what has been a watershed year for privacy legislation in the United States.
But businesses who’ve worked on compliance with the other laws shouldn’t rest on their laurels. They still need to prepare for the CDPA, which has different provisions from those of the CCPA or the CPRA.
In this article, we take a look at these distinct provisions of the Virginia Act and compare them to the CCPA (as amended by the CPRA) and the GDPR.
|Key Provisions||Virginia CDPA||
CaliforniaCCPA + CPRA
|Ability to Process|
|Right to receive notice of processing activities||Yes||Yes||Yes|
|Right to access personal data||Yes||Yes||Yes|
|Right to data portability (i.e., data must be provided in a readily usable format, so it can be transferred from one entity/platform to another)||Yes||Yes||Yes|
|Right to correct errors in personal data||Yes||No||Yes|
|Right to delete personal data||Yes||Yes||Yes|
|Right to opt-out of behavioral advertising||Yes||No||Yes|
|Right to object to automated profiling and decision making||Yes||No||Yes|
|Right to non-discrimination for the exercise of these rights||Yes||Yes||Yes|
|Right to opt-out of sales of personal information||Yes||Yes||No|
|Opt in or opt out for processing of sensitive information||Opt-in||Opt-out||Opt-in|
|Right to appeal denial of requests||Yes||No||No|
|Data Protection Assessments||Yes||No||Yes|
|Appropriate Data Security to Safeguard Information||Yes||Yes||Yes|
|Data Transfers Outside EEA|
|Additional measures for international transfers||No||No||Yes|
|Transfers to Third Parties|
|Contractual Requirements in Service Provider Agreements||Yes||Yes||Yes|
|Consent for Adtech cookies||Yes||Yes||Yes|
|Consent obtained prior to direct marketing||No||No||Yes|
|Attorney General||Attorney General, CPPA||DPA|
|1 January 2023||1 January 2020 / 1 January 2023||25 May 2018|
Watch this video for more information on the differences between EU and US privacy laws and which privacy standards should be considered when performing A/B testing.
Businesses that have worked on achieving compliance with the CCPA or GDPR will find that these laws have a lot of similar verbiage and terminology; however, it is a mistake to assume that the Virginia law has identical requirements.
While there are similarities to the CCPA and GDPR, the CDPA contains nuances that are likely to be unique to each organization.
If you’re getting overwhelmed reading this, check out the step-by-step instructions we’ve laid out below to help tackle compliance with the new privacy law.
FIrst, have the lawyers, IT professionals, and privacy specialists within your organization assess the law’s application to your business. Then, identify any gaps and develop a compliance plan that includes solutions for these issues.
Let’s go into further detail, shall we?
To achieve compliance with the CDPA, you need to:
- Create and maintain a comprehensive data inventory, providing insight into both the types of data involved and the nature of processing activities.
- Ensure that sensitive data is segregated and managed without unnecessary risks.
- Implement a framework for conducting Data Protection Impact Assessments (DPIA).
- Assess the cybersecurity policies, practices, and controls in place to ensure they are consistent with industry-recognized standards.
- Enable consumers to opt-out of the sale of their personal information (where applicable).
- Update public-facing privacy policies to, among other changes, pledge not to re-identify de-identified personal data and provide details on its data processing activities.
- Develop mechanisms for accepting, tracking, verifying, and honoring consumer requests to access, correct, delete, and opt-out personal data under the CDPA.
- Ensure that your customer service employees have accurate knowledge of the regulations to satisfy consumer requests efficiently and predictably.
Finally, while 2023 may seem a distant future, don’t postpone building your compliance plan.
If other recent privacy laws taught us anything, it’s that these initiatives require extensive efforts and time to carefully plan, spot gaps in your privacy mechanisms, and implement new policies, processes, and remediation efforts.
It is not too early to start CDPA compliance efforts as more states, such as New York and Washington, begin to enact consumer privacy protection laws.
As more state legislatures become active in passing consumer privacy protection bills or laws, one thing becomes clear: ensuring customer privacy can no longer be an afterthought. It must be baked into your business model.