The Virginia Consumer Data Protection Act (CDPA) establishes a tool known as “data protection assessments” to help safeguard consumer data privacy. Data protection assessments are mandatory for organizations subject to the CDPA when those organizations process consumer data for certain purposes.

Data protection assessments are analyses of the relative impact of the proposed data use on the consumer, the organization processing the data, other stakeholders, and the general public. The assessments must include a comparison of the potential benefits of the data use to the consumer, the data collector, other stakeholders and the public with the potential harm that may result to the consumer, as that risk can be reduced by safeguards that can be employed by the data collector. The CDPA specifies that data protection assessments are confidential documents and exempt from disclosure under the Virginia Freedom of Information Act. However, the Act gives the Virginia Attorney General the authority, pursuant to a civil investigative demand, to obtain any data protection assessment that is relevant to an investigation conducted by the Attorney General. The AG also may use the data assessment to evaluate the data collector’s compliance with relevant provisions of the CDPA.

The CDPA requires completion of a data protection assessment before an organization processes “sensitive data” from a consumer. Sensitive data includes data regarding a person’s racial or ethnic origin, religious beliefs or sexual orientation. It also includes data associated with an individual’s mental/physical health diagnosis or immigration status. Precise geo-location data and genetic/biometric data are also considered to be sensitive data. Additionally, personal data collected from an individual younger than 13 years of age also constitutes sensitive data.

Data protection assessments also are required before any personal data can be used for certain purposes, even if the data are not deemed to be sensitive data. Thus, data protection assessments are required before personal data can be sold. They are also required before personal data can be used for profiling or for targeted advertising. In addition, the assessments are required before personal data can be processed for any purpose that could present a heightened risk of harm to consumers.

Beginning January 1, 2023, the effective date of the CDPA, all organizations subject to the CDPA must make use of data protection assessments for the above activities.

Alliance Law Group can help your organization to determine if it is required to implement data protection assessments, and, if so, we can help you to implement those assessments efficiently and effectively. Organizations not required to use data protection assessments under the CDPA may also wish to consider using this tool. ALG can assist such organizations in evaluating the risks and benefits of such a voluntary assessment and in conducting such an assessment if the determination is made to go forward.

* This article is not intended to provide legal advice. Individual facts and circumstances vary. Accordingly, please consult Alliance Law Group or other legal counsel for issues concerning data protection assessments and compliance with the Virginia CDPA..