How to Comply With Virginia's CDPA

If you sell goods or services to the residents of Virginia, you must comply with the Virginia Consumer Data Protection Act (CDPA).

The Act gives Virginia residents control over how companies collect their personal data. It brings Virginia's privacy law in line with privacy rules around the world, such as the EU's General Data Protection Regulation (GDPR).

Although it won't officially become law until January 1 2023, it's crucial you start preparing for how the legislation affects your business as soon as possible. To help, here's a breakdown of the CPDA and what steps you should take to comply with its terms.

What is Virginia's Consumer Data Protection Act?

The CDPA gives Virginia consumers more power over their personal information. The goal is to balance two things:

• The need for businesses to handle some personal data for commercial purposes, and
• The rights of the individual to restrict how much information a company has on them

Essentially, the CDPA applies to what's known as the "processing" of "personal data." "Personal data" is simply anything we can use to identify a real person. While the CDPA doesn't provide any examples, it does define personal data as anything we can "reasonably associate" with an individual:

In other words, personal data can be anything from a name to an IP address. However, it does not include anonymized data, or data which is publicly available.

"Processing" means anything you do with personal data while it's in your control. This includes collecting, sharing, and deleting data:

From the moment you attempt to collect data until you dispose of it safely, you're technically "processing" it.

What specific rights do consumers have over their personal data and how it's processed, though? Well, under the Act, consumers have the right to:

• Know if businesses are collecting their personal data
• Withdraw consent to personal data collection
• Access the personal data stored on them, and amend it accordingly
• Delete their personal information
• Opt out of targeted advertising and the sale of personal data

So, the Virginia Consumer Privacy Act offers similar privacy rights to the ones we see in the California Consumer Privacy Act (CCPA) and the GDPR.

Briefly, here are some other definitions you should be aware of before we move forward:

• Data controller: The company that collects the personal data and determines why they're collecting it. For example, an e-commerce store is a controller.
• Data processor: The processor handles personal data on the controller's behalf.
• Sale of personal data: Essentially, you're selling personal data if you give it to a third party in exchange for compensation.
• Sensitive data: Any data belonging to a minor is sensitive. If it's data you can use to identify traits like someone's race or sexual orientation, or it's biodata, it's also sensitive.

Not sure if the CDPA applies to your business? Let's check out what the scope is.

Who Must Comply With the CDPA?

The CDPA applies to most for-profit companies who sell goods and services to Virginia residents. In short, you must comply if you:

• Process or handle personal data belonging to more than 100,000 Virginia residents, or
• Earn over 50% of your gross revenue from selling personal data and handle or process data belonging to more than 25,000 Virginia residents

The scope is set out in Chapter 52, Section 59.1-572:

So, if you undertake commercial activities in Virginia, there's a good chance you must comply. You will not, however, need to comply with the Consumer Data Privacy Act if you are a state body, non-profit, or higher education facility.

Always get legal advice if you're unsure whether the Act applies to you.

What are the CDPA's New Requirements?

Virginia's CDPA places six responsibilities on businesses targeting Virginia consumers. Let's look at them one at a time.

1. Privacy Notice

You must provide a Privacy Notice setting out what data you collect, why you need it, how it's used, and who you share it with.

In other words, you need a Privacy Policy.

2. Consumer Rights

You should ensure Virginia consumers understand what rights they have, and how to exercise them.

• You must set out what the rights are in written form (your Privacy Policy is a good place to start).
• You must help consumers enforce these rights by, for example, explaining how they can opt out and revoke consent.

3. Data Minimization

You should minimize the data you collect. In other words, you don't need to capture someone's full name and date of birth to sign them up for your newsletter, and so on.

This is similar to the GDPR data minimization principle.

4. Consent

You need informed, affirmative consent before collecting sensitive data i.e., data belonging to minors, or special categories of personal data as we defined earlier.

5. Data Protection Assessments

For any personal data you collect, you must identify three things:

• The benefits of acquiring that data
• The risks attached to processing the data
• How you can minimize these risks

You only need to perform an assessment on data collected on or after January 1, 2023.

6. Security Safeguards

Every business needs cybersecurity in place to properly protect the personal data in its keeping.

Unfortunately, the Act doesn't define what safeguards you'll actually need, but we'll consider some options below.

How Can Businesses Comply With the CDPA?

To fulfill the six responsibilities set out in Virginia's CDPA, businesses can do five things. Let's break them down.

1. Draft a Privacy Policy

As per Section 59.1-574 (C), every controller must provide a "privacy notice" on its website. The notice must include details on the following:

• What categories of personal data you process
• Why your company needs this data
• What rights the consumer has over their data, and how they can exercise them
• Whether you share data with third parties
• A means for consumers to reach you regarding the privacy notice

In effect, this simply means having a complete Privacy Policy. While we cover the CDPA Privacy Policy requirements in detail elsewhere, here's broadly what clauses you must include:

Data Collected

If you collect personal data, explain this in your Privacy Policy and indicate the types of information this might include.

This clause doesn't need to be overly long. It can just indicate the broad categories of data you collect from your customers. The Bank of America has a great example for this:

Collection Purposes

Be clear about why you need the data you collect. Remember, data minimization is important. If you can't justify why you need the data, don't collect it.

Starbucks, for example, collects data to provide essential services. It sets out its purposes in a user-friendly bulleted list so it's easy to read:

Consumers' Rights

First, you should set out what specific rights a consumer has over their personal data. Then, you should indicate how you can help a consumer exercise these rights.

Walmart, for example, opens its California Privacy Policy with a list of the rights Californian consumers have under the CCPA:

This is a good model to take, but with the CDPA rights instead of the CCPA rights.

Walmart then explains what these rights mean in more detail, and how the company can help the consumer exercise them:

Third Party Sharing

If you use tracking cookies, or you share personal data with third parties, disclose it in your Privacy Policy.

Here's an example from McDonald's. The company sets out in short, succinct paragraphs who it shares data with, and for what purposes:

It also explains what cookies are, and how the company might use this technology to obtain a consumer's personal data:

Keep your explanation short and use language that the average reader can understand.

Contact Details

Provide one or two ways for consumers to contact you regarding the CDPA. Here's an example from Walmart:

2. Facilitate Opt Out Processes

Virginia consumers have the right to opt out of targeted advertising, data selling, and data profiling. So, before you collect personal data for these purposes, you must ensure that:

• Customers know they can opt out, and
• It's clear how customers may opt out

There are three ways to comply with this requirement.

Use Your Privacy Policy

First, if you use personal data for targeted advertising or profiling, or you sell it to third parties, set this out in your Privacy Policy.

Wendy's, for example, explains in its Privacy Policy that it uses personal data for targeted advertising:

The company uses cookies to collect this data. To facilitate the right to opt out, Wendy's directs consumers to a Google Analytics page, where they can turn off the tracking technology:

Do Not Sell My Information

Next, you can place a conspicuous link to a "Do Not Sell My Personal Information" page that addresses the sale of personal data. A typical place for this link is the website footer. Visitors can click the link and, if desired, follow the opt out procedures.

Here's an example from NBCUniversal:

Clicking the link takes you to a page that explains how you can reject targeted advertising:

Use a Checkbox

You can give people the option to opt out of certain types of processing when they land on your webpage.

For example, when you visit American Airlines, a cookie consent notice appears that has a checkbox where you can agree to the use of advertising cookies:

3. Get Consent to Sensitive Data Processing

Remember, you sometimes need consent to process data under the CDPA. To be deemed "valid" consent, the consent must meet five criteria:

• Clear: It must be obvious that someone has actually given consent
• Informed: You must give the consumer enough information to make an informed decision
• Specific: The consumer must know exactly what they're consenting to
• Affirmative: They must take some positive action to give consent
• Freely given: You cannot coerce anyone into consenting to data processing

How do you get valid consent from someone? Checkboxes are the best way to go. Just don't use pre-checked boxes that require a user to un-click to revoke consent. You can also use toggle buttons.

Here's an example of toggle buttons used by Teen Vogue. When someone visits the site, they can choose which cookies to accept, and which to reject:

And here's a classic checkbox example. To sign up for an account with Lancome, you must tick a box confirming you're happy with the Privacy Policy. Users are also given the option to opt in to personalized emails and are reminded that they can unsubscribe at any time (thus revoking consent):

4. Perform Data Protection Assessments

You must perform a data protection assessment for:

• Data you may use for targeted advertising
• Data you plan on selling
• Data you may use for profiling where such profiling comes with risk of unfairness and harm
• The processing of sensitive data
• Any processing activity that has an increased risk of harm to the data subjects

Think of it like a risk assessment. Section 59.1-576 (B) sets out factors for you to consider:

5. Implement Cybersecurity Safeguards

Every business must employ some cybersecurity measures to protect personal data. While what's appropriate depends on the size of your business and the data you process, measures you could introduce include:

• Network monitoring e.g. firewalls
• Antivirus and anti-malware software
• Encryption and password protection
• Multi-factor authentication e.g. fingerprints

You might want to consult an IT expert for more advice on this.

What are the Penalties for Not Complying with the CDPA?

If you fail to comply with the Consumer Data Protection Act, you could be fined. We can find the rules in Sections 59.1-579.

Essentially, if a consumer feels you've violated your CPDA rights, you will receive written notice from the Attorney General. You then have 30 days to "cure" the violation, and provide written notice to the affected consumer:

If you fail to respond within 30 days, or you continue to violate the Act, you could be fined up to $7,500 for each violation.

Conclusion

Virginia's Consumer Privacy Act gives consumers the right to control what businesses do with their personal data. You must comply with the CDPA if you sell goods and services to Virginia consumers.

To comply with the CDPA, you must do five things:

• Draft a Privacy Policy, or Privacy Notice, informing consumers of their rights under the Act.
• Get consent to sensitive data processing, or before you process any data belonging to minors.
• Inform people of their rights to opt out of targeted advertising, data selling, and data profiling, and help facilitate these rights.
• Perform regular data protection assessments.
• Use sufficient cybersecurity to protect personal data in your care.

A failure to comply with any part of the CDPA could result in a fine of up to $7,500 if you don't remedy the problem within 30 days of receiving notice from the Attorney General.