CDPA Consumer Rights
The Virginia Consumer Data Protection Act (CDPA) allows those who live in Virginia to control what companies can do with their personal data. More specifically, the legislation gives Virginia residents six specific rights regarding their personal information, which we'll explore below.
First, though, let's be sure we're clear on how the CDPA works and which businesses must comply with its terms.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. The CDPA in Brief
- 2. Who Must Comply With the CDPA
- 3. Consumer Rights Under the CDPA
- 3.1. 1. Right of Access
- 3.2. 2. Right to Portability
- 3.3. 3. Right to Opt Out
- 3.4. 4. Right to Correction
- 3.5. 5. Right to Deletion
- 3.6. 6. Right of Appeal
- 4. Complying With CDPA Consumer Rights Obligations
- 4.2. 2. Impose Limitations on Collection and Use
- 4.3. 3. Maintain Appropriate Safeguards
- 5. Penalties for Non-Compliance
- 6. Conclusion
The CDPA in Brief
The State of Virginia passed the CDPA on March 2, 2021. The Act is designed to achieve two key aims:
- Allow the residents of Virginia to control how businesses can access their personal or sensitive information
- Give residents the power to opt out of any sale of their personal data
The Act also imposes obligations on companies to ensure they collect, process, and store personal data safely and responsibly:
- Businesses must perform a risk assessment and ensure they have appropriate security measures in place to preserve data integrity at all times.
- All companies subject to the CDPA must also ensure there's no discrimination against customers who choose to opt out of data selling, or who exercise their privacy rights in some other way.
Who Must Comply With the CDPA
The Act's scope is set out in section s.59.1-572.
Firstly, your business must comply with the Act if you sell goods or services in Virginia, or you sell goods or services aimed at residents of Virginia, and either one of the following applies:
- Your business processes data belonging to at least 100,000 Virginia residents a year, or
- Your business processes data belonging to 25,000 residents or more, and you earn over 50% of your gross annual revenue from selling personal data to third parties
If you're a commercial business, and you sell goods or services to customers in Virginia, it's most likely that you should comply with the Act. Seek legal advice, though, if you're at all unsure whether the Act applies.
Consumer Rights Under the CDPA
If your business must comply with the Virginia Consumer Data Protection Act, you should understand which rights consumers have under the legislation.
Let's break down the six rights to illustrate how you might comply.
1. Right of Access
Customers have the right to know if you're collecting their personal data, and what you plan on doing with any information you process. As a business, you must give consumers access to the information you hold on them, if so requested. This is known as the right of access.
Include clauses covering:
- Whether you collect data
- What type of data you collect e.g. email addresses, credit card details
- How consumers can request to access their data file
Starbucks, for example, collects data automatically or when customers provide it. It may also collect data from third parties:
The company then sets out examples of the data it collects:
And finally, there's a clause explaining how customers can access any data held on them:
You'll note these clauses are user-friendly and easy to read, which is what you should aim for when drafting your own clauses.
2. Right to Portability
Alongside the right of access, consumers can request a copy of the data stored on them in a convenient, portable format.
The idea behind "portability" is to let the customers transfer their data from one company to another, for example, if they decide to switch service providers, or they just want a copy of their data emailed to them for reference.
Complying with this obligation is relatively straightforward. If a customer asks for a copy of their personal data, ensure you provide it in a common, machine-readable format, such as a PDF or CSV file.
It's best if you try to verify a person's identity before you release any information to them. How you verify someone's identity will vary depending on the sensitivity of the data you hold.
3. Right to Opt Out
As mentioned, consumers have the right to stop you from:
- Selling their personal data
- Processing their data for targeted advertising
- Using their information to profile the consumer unfairly e.g. to produce a legally binding outcome, such as a decision to offer credit, based purely on data profiling
Take Tim Hortons, for example. Consumers can reject targeted advertising and cookies by following the instructions given:
As another example, Krispy Kreme has a bulleted clause setting out what rights consumers have regarding communications. Again, it also tell consumers how they can exercise these rights, which is a detail you should always include:
4. Right to Correction
If a consumer can access their personal data and obtain a copy, it makes sense that they can also ask you to amend their data.
How you word this clause may vary, but what's important is that customers know they can amend their data, and how they can go about doing so.
5. Right to Deletion
A consumer can ask you to delete their personal information. They're not obliged to provide a reason. It's simply stated in section 59.1-573 as the right to "delete his personal data."
6. Right of Appeal
Under the Virginia Consumer Data Protection Act section 59.1-573, you should respond to a consumer request within 45 days of receipt. You can only extend this deadline if there's a compelling reason to do so e.g. it's a complex access request.
You should also provide customers with the data they request free of charge up to twice per year.
You can charge a reasonable fee for multiple requests. What's reasonable depends on your business and the complexity of the request.
If you try to charge the consumer unfairly, refuse to release information, or if you fail to respond in a timely manner, then the consumer can appeal your decision.
Complying With CDPA Consumer Rights Obligations
Although we do cover compliance requirements in detail elsewhere, it's worth touching on the three main steps companies can take to ensure CDPA compliance.
As mentioned, consumers have the right to know whether you collect their data and, importantly, what you plan on doing with it. They also have the right to access the data you hold.
You should also ensure you include your contact details, so a customer can reach you to exercise their consumer rights.
2. Impose Limitations on Collection and Use
Under the CDPA section 59.1-574, businesses should limit how much data they collect.
In other words, here is what the clause means in practical terms:
- You should only collect as much data as you need to satisfy a defined purpose
- You can't collect data for any other unrelated purpose without express consent from the consumer
If there's any doubt whether you have consent to process data in a certain way, it's always best to get express consent before proceeding.
3. Maintain Appropriate Safeguards
Finally, every business handling personal data belonging to a Virginia consumer must ensure there's sufficient security in place to protect the information at all times.
You can do this by:
- Performing a data protection assessment i.e. risk assessment
- Ensuring staff use strong passwords which they keep safe
- Installing security software and ensuring it's up-to-date
- Encrypting data and storing it at a secure location
If you don't have in-house IT personnel, consider hiring a managed services provider or other IT specialist to check your system security.
Penalties for Non-Compliance
Should companies fail to comply with the CDPA, they may face financial penalties. The penalties are set out in section 59.1-579.
In other words, businesses have 30 days from the date of notice to remedy any breaches identified under the CDPA. If they fail to act, they could face a penalty of $7,500 per breach. Meaning, for example, if a company commits two violations, they could face a penalty of $15,000.
If you're concerned regarding how to comply with the Virginia Consumer Data Protection Act, seek legal advice as soon as possible.
Notably, it's on the Attorney General to decide whether or not to pursue an action. There's no private right of action for customers to sue companies who don't comply with the Act.
For customers, this is a clear shortcoming in the legislation. However, it's as yet unclear how rigorously the Attorney General will pursue businesses under the CDPA.
The Virginia Consumer Data Protection Act, or CDPA for short, gives customers six fundamental rights over their personal data.
Consumers have the right to:
- Access personal data held on them by commercial businesses
- Ask for a copy of their personal data records in a portable, convenient format
- Opt out of any sale of their personal data for marketing or commercial purposes
- Correct any errors in the personal information stored on them
- Request that companies delete their personal data
- Appeal if a business doesn't comply with a request within a reasonable period (typically within 45 days of the request)
Finally, businesses should ensure they have proper safeguards in place to protect customer data, and they should only collect as much data as they need for a clearly identified purpose.
A failure to ensure consumers can exercise their rights under the CDPA means you are likely to face financial penalties or, at a minimum, reputation damage.