How to Comply With Virginia's CDPA
If you sell goods or services to the residents of Virginia, you must comply with the Virginia Consumer Data Protection Act (CDPA).
The Act gives Virginia residents control over how companies collect their personal data. It brings Virginia's privacy law in line with privacy rules around the world, such as the EU's General Data Protection Regulation (GDPR).
Although it won't officially become law until January 1 2023, it's crucial you start preparing for how the legislation affects your business as soon as possible. To help, here's a breakdown of the CPDA and what steps you should take to comply with its terms.
- 1. What is Virginia's Consumer Data Protection Act?
- 2. Who Must Comply With the CDPA?
- 3. What are the CDPA's New Requirements?
- 3.1. 1. Privacy Notice
- 3.2. 2. Consumer Rights
- 3.3. 3. Data Minimization
- 3.4. 4. Consent
- 3.5. 5. Data Protection Assessments
- 3.6. 6. Security Safeguards
- 4. How Can Businesses Comply With the CDPA?
- 4.1.1. Data Collected
- 4.1.2. Collection Purposes
- 4.1.3. Consumers' Rights
- 4.1.4. Third Party Sharing
- 4.1.5. Contact Details
- 4.2. 2. Facilitate Opt Out Processes
- 4.2.2. Do Not Sell My Information
- 4.2.3. Use a Checkbox
- 4.3. 3. Get Consent to Sensitive Data Processing
- 4.4. 4. Perform Data Protection Assessments
- 4.5. 5. Implement Cybersecurity Safeguards
- 5. What are the Penalties for Not Complying with the CDPA?
- 6. Conclusion
What is Virginia's Consumer Data Protection Act?
The CDPA gives Virginia consumers more power over their personal information. The goal is to balance two things:
- The need for businesses to handle some personal data for commercial purposes, and
- The rights of the individual to restrict how much information a company has on them
Essentially, the CDPA applies to what's known as the "processing" of "personal data." "Personal data" is simply anything we can use to identify a real person. While the CDPA doesn't provide any examples, it does define personal data as anything we can "reasonably associate" with an individual:
In other words, personal data can be anything from a name to an IP address. However, it does not include anonymized data, or data which is publicly available.
"Processing" means anything you do with personal data while it's in your control. This includes collecting, sharing, and deleting data:
From the moment you attempt to collect data until you dispose of it safely, you're technically "processing" it.
What specific rights do consumers have over their personal data and how it's processed, though? Well, under the Act, consumers have the right to:
- Know if businesses are collecting their personal data
- Withdraw consent to personal data collection
- Access the personal data stored on them, and amend it accordingly
- Delete their personal information
- Opt out of targeted advertising and the sale of personal data
So, the Virginia Consumer Privacy Act offers similar privacy rights to the ones we see in the California Consumer Privacy Act (CCPA) and the GDPR.
Briefly, here are some other definitions you should be aware of before we move forward:
- Data controller: The company that collects the personal data and determines why they're collecting it. For example, an e-commerce store is a controller.
- Data processor: The processor handles personal data on the controller's behalf.
- Sale of personal data: Essentially, you're selling personal data if you give it to a third party in exchange for compensation.
- Sensitive data: Any data belonging to a minor is sensitive. If it's data you can use to identify traits like someone's race or sexual orientation, or it's biodata, it's also sensitive.
Not sure if the CDPA applies to your business? Let's check out what the scope is.
Who Must Comply With the CDPA?
The CDPA applies to most for-profit companies who sell goods and services to Virginia residents. In short, you must comply if you:
- Process or handle personal data belonging to more than 100,000 Virginia residents, or
- Earn over 50% of your gross revenue from selling personal data and handle or process data belonging to more than 25,000 Virginia residents
The scope is set out in Chapter 52, Section 59.1-572:
So, if you undertake commercial activities in Virginia, there's a good chance you must comply. You will not, however, need to comply with the Consumer Data Privacy Act if you are a state body, non-profit, or higher education facility.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Always get legal advice if you're unsure whether the Act applies to you.
What are the CDPA's New Requirements?
Virginia's CDPA places six responsibilities on businesses targeting Virginia consumers. Let's look at them one at a time.
1. Privacy Notice
You must provide a Privacy Notice setting out what data you collect, why you need it, how it's used, and who you share it with.
2. Consumer Rights
You should ensure Virginia consumers understand what rights they have, and how to exercise them.
- You must help consumers enforce these rights by, for example, explaining how they can opt out and revoke consent.
3. Data Minimization
You should minimize the data you collect. In other words, you don't need to capture someone's full name and date of birth to sign them up for your newsletter, and so on.
This is similar to the GDPR data minimization principle.
You need informed, affirmative consent before collecting sensitive data i.e., data belonging to minors, or special categories of personal data as we defined earlier.
5. Data Protection Assessments
For any personal data you collect, you must identify three things:
- The benefits of acquiring that data
- The risks attached to processing the data
- How you can minimize these risks
You only need to perform an assessment on data collected on or after January 1, 2023.
6. Security Safeguards
Every business needs cybersecurity in place to properly protect the personal data in its keeping.
Unfortunately, the Act doesn't define what safeguards you'll actually need, but we'll consider some options below.
How Can Businesses Comply With the CDPA?
To fulfill the six responsibilities set out in Virginia's CDPA, businesses can do five things. Let's break them down.
As per Section 59.1-574 (C), every controller must provide a "privacy notice" on its website. The notice must include details on the following:
- What categories of personal data you process
- Why your company needs this data
- What rights the consumer has over their data, and how they can exercise them
- Whether you share data with third parties
- A means for consumers to reach you regarding the privacy notice
This clause doesn't need to be overly long. It can just indicate the broad categories of data you collect from your customers. The Bank of America has a great example for this:
Be clear about why you need the data you collect. Remember, data minimization is important. If you can't justify why you need the data, don't collect it.
Starbucks, for example, collects data to provide essential services. It sets out its purposes in a user-friendly bulleted list so it's easy to read:
First, you should set out what specific rights a consumer has over their personal data. Then, you should indicate how you can help a consumer exercise these rights.
This is a good model to take, but with the CDPA rights instead of the CCPA rights.
Walmart then explains what these rights mean in more detail, and how the company can help the consumer exercise them:
Third Party Sharing
Here's an example from McDonald's. The company sets out in short, succinct paragraphs who it shares data with, and for what purposes:
It also explains what cookies are, and how the company might use this technology to obtain a consumer's personal data:
Keep your explanation short and use language that the average reader can understand.
Provide one or two ways for consumers to contact you regarding the CDPA. Here's an example from Walmart:
2. Facilitate Opt Out Processes
Virginia consumers have the right to opt out of targeted advertising, data selling, and data profiling. So, before you collect personal data for these purposes, you must ensure that:
- Customers know they can opt out, and
- It's clear how customers may opt out
There are three ways to comply with this requirement.
Do Not Sell My Information
Next, you can place a conspicuous link to a "Do Not Sell My Personal Information" page that addresses the sale of personal data. A typical place for this link is the website footer. Visitors can click the link and, if desired, follow the opt out procedures.
Here's an example from NBCUniversal:
Clicking the link takes you to a page that explains how you can reject targeted advertising:
Use a Checkbox
You can give people the option to opt out of certain types of processing when they land on your webpage.
For example, when you visit American Airlines, a cookie consent notice appears that has a checkbox where you can agree to the use of advertising cookies:
3. Get Consent to Sensitive Data Processing
Remember, you sometimes need consent to process data under the CDPA. To be deemed "valid" consent, the consent must meet five criteria:
- Clear: It must be obvious that someone has actually given consent
- Informed: You must give the consumer enough information to make an informed decision
- Specific: The consumer must know exactly what they're consenting to
- Affirmative: They must take some positive action to give consent
- Freely given: You cannot coerce anyone into consenting to data processing
How do you get valid consent from someone? Checkboxes are the best way to go. Just don't use pre-checked boxes that require a user to un-click to revoke consent. You can also use toggle buttons.
Here's an example of toggle buttons used by Teen Vogue. When someone visits the site, they can choose which cookies to accept, and which to reject:
4. Perform Data Protection Assessments
You must perform a data protection assessment for:
- Data you may use for targeted advertising
- Data you plan on selling
- Data you may use for profiling where such profiling comes with risk of unfairness and harm
- The processing of sensitive data
- Any processing activity that has an increased risk of harm to the data subjects
Think of it like a risk assessment. Section 59.1-576 (B) sets out factors for you to consider:
5. Implement Cybersecurity Safeguards
Every business must employ some cybersecurity measures to protect personal data. While what's appropriate depends on the size of your business and the data you process, measures you could introduce include:
- Network monitoring e.g. firewalls
- Antivirus and anti-malware software
- Encryption and password protection
- Multi-factor authentication e.g. fingerprints
You might want to consult an IT expert for more advice on this.
What are the Penalties for Not Complying with the CDPA?
If you fail to comply with the Consumer Data Protection Act, you could be fined. We can find the rules in Sections 59.1-579.
Essentially, if a consumer feels you've violated your CPDA rights, you will receive written notice from the Attorney General. You then have 30 days to "cure" the violation, and provide written notice to the affected consumer:
If you fail to respond within 30 days, or you continue to violate the Act, you could be fined up to $7,500 for each violation.
Virginia's Consumer Privacy Act gives consumers the right to control what businesses do with their personal data. You must comply with the CDPA if you sell goods and services to Virginia consumers.
To comply with the CDPA, you must do five things:
- Get consent to sensitive data processing, or before you process any data belonging to minors.
- Inform people of their rights to opt out of targeted advertising, data selling, and data profiling, and help facilitate these rights.
- Perform regular data protection assessments.
- Use sufficient cybersecurity to protect personal data in your care.
A failure to comply with any part of the CDPA could result in a fine of up to $7,500 if you don't remedy the problem within 30 days of receiving notice from the Attorney General.