BY Stephen Cavey | 22/04/2021
The Virginia Consumer Data Protection Act is Virginia’s own privacy law, and it is the second state law of its kind in the country, following only California. On March 2, 2021, Governor Ralph Northam signed the bill into law, which will go into effect on January 1, 2023. This regulation combines concepts from the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act CCPA, and the California Privacy Rights Act CPRA.
This act applies to individuals who conduct business in Virginia or produce and sell products that target Virginia residents. It also is applicable to businesses that control or process the personal data of 100,000 or more Virginia consumers during a calendar year, or that control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
These specific requirements are what set CDPA apart from CCPA. There is no gross revenue amount that qualifies a business to follow CDPA compliance, unlike CCPA, which sets the threshold at $25 million.
In addition, there are several types of organizations that are exempt from the regulations outlined in CDPA. They include but are not limited to:
At their core, data compliance laws are customer-centric and aim to protect individuals from losing personal data or being the victim of damages. “Personal data” is described by the bill as “any information that is linked or reasonably associated to an identified or identifiable natural person.” “Personal data” does not include de-identified data or publicly available information.” “Sensitive data” is classified as a subcategory of personal data that reveals racial or ethnic origin, mental or physical health diagnosis, religious beliefs, sexual orientation, or citizenship/immigration status.
The CDPA follows suit with other compliance laws, such as the CCPA and GDPR, by enabling consumers with the ability to access, correct, delete, and receive a copy of their personal data upon request. Consumers can also opt-out of the processing of personal data in the context of targeted advertising under the CDPA. Within 45 days of receipt of a request, organizations must take action to address customer data requests. If for some reason the request is denied, organizations must also have processes in place to handle appeals.
A “consumer” is defined by the bill as, “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural personal acting in a commercial or employment context.”
Businesses are required by the CDPA to make additional disclosures surrounding their personal data processing activities, individual rights, and how consumers may exercise those rights. Organizations are also required to perform impact assessments to ensure they are not infringing upon a consumer’s privacy rights with their processing activities, have implemented appropriate technical and security controls, and have appropriate agreements in place with vendors.
Even with internal precautions in place, a data breach may still occur. Should an accident happen, organizations will be notified of their violation and given 30 days to remediate the case. If an organization fails to fix their data issue, the attorney general of Virginia will have the ability to charge at maximum $7,500 per violation.
Attempting to meet full data compliance alone, no matter the size of your organization, is risky business. Partnering with Ground Labs can give your organization peace of mind knowing that our solutions are scanning all of your organization’s surfaces and reading over 300 data types.
Rushing to meet compliance standards is bound to leave holes somewhere. Make a commitment to meet CDPA requirements ahead of the January deadline and schedule a meeting with a compliance expert now.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.