Virginia recently passed the Consumer Data Protection Act, which introduces a new set of guidelines for businesses surrounding data usage. To learn more about the CDPA and whether your business is affected, read this blog post.
The East Meets the West….
Virginia passed a comprehensive privacy law this week, joining California as the second state to do so. The Virginia Consumer Data Protection Act (CDPA) is set to go into effect in January of 2023. Virginia consumers have opted for the Commonwealth of Virginia’, which draws inspiration from the California Consumer Privacy Act (CCPA) and the proposed Privacy Act in Washington.
Like both the Washington Privacy Act and the Consumer Communications Protection Act before it, the CDPA introduced a new set of rights to consumers in Virginia — as well as new responsibilities for data controllers and processors.
What is the CDPA and who is it applicable to?
The Virginia Consumer Data Protection Act (CDPA) is mostly modeled after the Washington Privacy Act, and it primarily applies to companies and individuals conducting business within the Commonwealth of Virginia or those who manufacture or provide goods or services to Virginia residents.
- control, process or handle the personal data of at least 100,000 Virginia consumers during a calendar year.
- control or process personal data of more than 25,000 residents. Personal data sales make up over 50% of their gross revenue.
The CDPA exempts businesses from HIPAA, GLBA, and other regulations. This is a more extensive exemption than the CCPA, which applies to the information covered by those regulations but not to the organization.
Who enforces it and what are the penalties?
The CDPA imposes fines up to $7,500 per violation.
The Consumer Privacy Protection Act has been enforced by the Virginia Attorney General, and resources will be allocated to enforcement by the Consumer Privacy Fund. Notably, there is no private right of action.
There is a right of cure of up to 30 days of potential violations. It appears states are continuing to give businesses the chance to correct any potential wrongdoings, as this type of legislation is relatively new compared to other regulations and obligations businesses face.
What exactly are the requirements?
Consumers will have access to, correct, delete, and receive a copy of their personal data.
Under the CDPA, consumers can opt-out of targeted advertisement that uses their personal data. If a business has not already implemented a cookie notice, then this will likely require a cookie disclaimer, in which the consumer may be allowed to turn off cookies and trackers when they visit a website.
- Businesses must also make additional disclosures about their collection, processing, use, and disclosure of personal data, as well as how consumers can exercise those rights.
- Businesses are also required to perform impact assessments to ensure they are not infringing upon a consumer’s privacy rights with their processing activities, have implemented appropriate technical and security controls, and have appropriate agreements in place with vendors (referred to as “processors” under the CDPA).
The CDPA is not scheduled to become effective until January 2023, which provides businesses the opportunity to prepare. Businesses that previously adhered to the CCPA and now have a compliance program that meets CCPA requirements can rely on these controls and frameworks with a few tweaks here and there to conform to the CDPA.
Conclusion
If the CCPA has taught us anything, understanding the law as it was passed is just the beginning on the road to compliance. Here at Zeguro we believe in protecting your business through people, process, and technology.
A proper Cyber Liability Insurance policy will provide protection from virtually all forms of cyber vulnerability. You can purchase a Cyber Liability policy online through Zeguro and utilize the intergrated Cyber Safety platform to expedite your compliance.
Start your Quote Today
