In 2021, the Virginia Consumer Data Protection Act (CDPA) was enacted. It will become effective on January 1, 2023. Structured along the lines of consumer data protection laws previously implemented in the European Union and in California, the CDPA establishes a broad set of data privacy rules intended to help protect personal consumer information. All Virginia businesses, and those based elsewhere but operating in Virginia, that are subject to the Act should use 2022 to become familiar with the terms of the CDPA and to develop strategies and practices to comply with the Act by the beginning of 2023. Alliance Law Group can help you to understand the applicability of the CDPA to your organization, and to bring the operations of your organization into compliance by the January 1, 2023 deadline.
The CDPA applies to organizations that conduct business in Virginia or produce products or services that target Virginia consumers and meet at least one of the following criteria: 1.) Control or process data of at least 100,000 consumers per calendar year or 2.) Control or process personal data of at least 25,000 consumers and derive over 50% of their gross revenue from sale of personal data. The CDPA does not apply to Virginia public institutions, non-profit organizations, institutions of higher education, or organizations governed by HIPAA or Gramm-Leach-Bliley data privacy requirements.
The CDPA establishes several different categories of privacy rights for consumers. Those categories include the right of access to their personal data and the right to have that data deleted or corrected.
The CDPA requires covered organizations to disclose their privacy policies to the public. In general, those privacy policies should include descriptions of personal data processed and discussion of how those data are used, shared, and protected. The privacy policies should also include instructions for consumers on how they can exercise the privacy rights granted to them by the CDPA.
It is worth noting that the CDPA identifies two specific privacy requirements that may not currently be part of the routine operations of many organizations. Thus, the CDPA establishes a requirement that covered organizations conduct data protection assessments to evaluate the risks to consumers associated with collection of particularly sensitive data and with certain uses for personal data. The CDPA also requires that such organizations execute written agreements with all third parties who will be involved in processing consumer data, and the CDPA specifies certain provisions which must be included in those agreements, such as the duty of confidentiality with respect to the data and audit opportunities.
It is also important to note that the CDPA does not authorize consumers to initiate legal action to enforce the CDPA requirements. Instead, the Act provides that all enforcement actions must be brought by the Office of the Virginia Attorney General. It remains to be seen how vigorous or effective such enforcement efforts will be.
All organizations that are subject to the new Act should become familiar with the terms of the CDPA during 2022. Alliance Law Group welcomes the opportunity to assist you and your organization to understand the CDPA and its implications for your organization. We can help you ensure that, if required, your enterprise is fully compliant with the requirements of the CDPA when they become effective on January 1, 2023. We can also help you to prepare to handle effectively the data privacy requests which may be sent to your organization directly from consumers when the CDPA goes into effect. Finally, regardless of whether or not your enterprise is within the jurisdiction of the CDPA, Alliance Law Group can help you to determine whether, and how, to make use of some of the privacy best practices, such as agreements with third party data processors and data protection assessments, which the CDPA introduces.
*This article is not intended to provide legal advice. Individual facts and circumstances vary. Accordingly, please consult Alliance Law Group or other legal counsel with respect to issues concerning the Virginia CDPA.