Top Industry Insights on Virginia Consumer Data Protection Act (CDPA)
The Virginia CDPA will come into effect on January 1, 2023—the same date as the California Privacy Rights Act (CPRA) amendments take effect
Virginia Consumer Data Protection Act (CDPA) is now a law. It will come into full effect from 1 January 2023. Virginia’s governor, Ralph Northam signed the CDPA bill, making Virginia the second state with privacy law. Virginia follows California CCPA that came into effect last year. The CDPA is inspired by CCPA and GDPR in many ways, and empowers the internet users and consumers to effectively pursue their rights to access, correct, delete and obtain a copy of any PII. The CDPA allows users to opt-out from the selling, processing, and targeting of PII for any targeted marketing / digital advertising campaigns.
Coincidentally, Russian parliament ‘Duma’ has also made amends to its existing and upcoming laws in the realm of data protection in Russia.
Most US States to Follow a Model State Privacy Act?
In a recent report, Consumer Reports along with Digital Lab proposed a much-needed initiative to drive data privacy regulations with more uniformity across the US. The idea is called the “Model State Privacy Act“, which would ensure every company in the US to comply with laws related to consumer’s privacy.
In the last few decades, we have seen every organization becoming a data-driven business, leveraging the data collection services of various internet companies, like Google, Facebook and Apple. The rise of Big Data intelligence has augmented the data collection and processing practices, even as companies have been found to be flouting norms on consumers’ private information. For example, selling and monetizing on user data without any explicitly earned consumer’s consent.
Meanwhile, Virginia is not the only state to be gearing up for a full-fledged data privacy framework. States such as Alabama, Arizona, Connecticut, Florida, and Kentucky have all introduced similar bills to meet the ongoing CCPA/GDPR-compliant standards.
The Virginia CDPA will come into effect on January 1, 2023—the same date as the California Privacy Rights Act (CPRA) amendments take effect—and will require entities subject to the law to coordinate efforts to ensure compliance with the growing obligations under these dynamic privacy law developments.
The CDPA will apply to companies that conduct business in Virginia, or that target their products and services to Virginia residents, and that either:
(i) control or process personal data of at least 100,000 Virginia residents or
(ii) control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
We spoke to industry experts on the Virginia CDPA and this what they had to say.
Virginia’s CDPA appears to spare smaller businesses from complying with the privacy law.
Bill O’Neill, VP of Public Sector, Centrify:
“Compliance with Virginia’s newly-introduced privacy bill, the Consumer Data Protection Act (CDPA), may introduce complexities for many large businesses due to currently distributed workforces. Unfortunately, we are in a time where more information is online, and more dispersed than ever before, making everyone more vulnerable.
Using essential cyber measures that secure privileged accounts is imperative to prevent hackers from gaining access to privileged account data, as well as private messages, security information, and other personal details. But, unlike the revenue-based compliance hurdles in the California Consumer Privacy Act (CCPA) and the private right to action, Virginia’s CDPA appears to spare smaller businesses from complying with the privacy law, or being subject to costly litigation in the event of a breach. This can be a double-edged sword for consumers, especially if smaller businesses are not investing in technologies to secure access or identities, and don’t have IT administration teams to help secure customer data.
Still, this law could spark further dialogue toward a national standard that protects consumer privacy and gives individuals control over how their data is used. We advocate for organizations to adopt a least privilege approach to reduce unnecessary and potentially damaging lateral movement inside of networks, in addition to using solutions that enable secure remote access to data centers and cloud-based infrastructure. These solutions secure all administrative access with risk-aware, multi-factor authentication (MFA) and, as a best practice, maintain the level of compliance that can improve an organization’s security posture, minimize the risks of compromised credentials, and ensure data privacy for both the organization and its customers for the long term.”
The CDPA echoes the importance of consent.
Josh Odom, CTO, Pathwire
“With Virginia’s new privacy law, the Consumer Data Protection Act (CDPA) being sent to the governor’s desk, it’s time we broke down the most prominent privacy regulations and how they play into the data-saturated world of email marketing.
The EU’s General Data Protection Regulation (GDPR) covers several lawful bases for data processing, and consent is one of them. As email marketers, we need to shift our understanding of consent from permanent to dynamic. This means that consent under GDPR is specific to the activity. We must ask ourselves: do I have permission to send marketing messages to them? Are they expecting my emails?
Even a scammer would need my explicit consent to continue sending me spam. While this might frustrate email marketers, customers must also have the option to withdraw consent (objecting to use of information for direct marketing) if they decide they don’t want to hear from you anymore. But why would you want to talk to someone who isn’t interested in what you have to say anyway?
The CDPA echoes the importance of consent. Email marketers must be explicit about any information collected or processed from residents of the state of Virginia — and work with their sales teams to ensure that contact receives the same quality service at the same price as all prospects, regardless of their privacy decisions.
Whether you’re looking to optimize your GDPR, CCPA or CDPA compliance, or just getting started in email marketing and want to ensure you’re on the right path, prioritizing steps into actionable pieces is the way to go. Confirming consent with existing contacts and protecting data with proper security measures can seem overwhelming, but when in doubt don’t hesitate to reach out for advice or to a lawyer that specializes in data protection.
At the end of the day, what matters is keeping your contacts informed at all times of what’s being done with their information. Having a trail of documentation that you can show to prove this will prepare you in case you’re audited for compliance purposes.”
The role of pseudonymization through tokenization in businesses in 2021
John Noltensmeyer, CTO of TokenEx
“The passage of Virginia’s new privacy law means that businesses will now have two new state-specific regulations to prepare for prior to January 1, 2023, including California’s CPRA. Therefore, it’s critical to use this window of time to review efforts regarding current CCPA requirements, while also looking to ensure the organization is compliant with the upcoming changes. While it can seem overwhelming and complex, one of the logical places to start is to secure the personal data an organization holds. By utilizing technology like pseudonymization through tokenization, businesses can protect consumers’ sensitive data while also meeting the compliance obligations for current and future laws across multiple jurisdictions.”
What Rights do Consumers Have as per the CDPA Law?
As per OneTrust, the Virginia CDPA provides consumers with several rights, including:
- the right to opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling;
- the right to confirm if their data is being processed;
- the right to amend inaccuracies;
- the right to data deletion; and
- the right to data portability.
The law forming bodies are finally understanding the importance of creating awareness on data privacy. It is clear that consumers shouldn’t bear the burden of securing their own privacy.
As users, we leave our digital footprints (PIIs) across social media, websites, emails and mobile apps. Most online consumers are negligent of our ‘right to privacy’ and yet expect that we will be protected from cybersecurity threats and spamming / phishing attacks. Once leaked, personal data can’t be retrieved; and worse, could be used in a malicious way to steal our financial data and accounts. To regulate this, we need stronger, potent data against data hackers.
While Virginia CDPA has an “exceptional” number of exemptions, we can confide with the new law as a game-changing milestone for most law-abiding US data analytics firms and institutions.