Essentially, if you fall under the Act's jurisdiction, you must take steps to inform Virginia residents of their data protection rights and help them exercise these rights if they choose to do so.
- 1. What is the CDPA?
- 2. Who Must Comply With the CDPA?
- 3.1. Introduction
- 3.2. Jurisdiction
- 3.3. Contact Details
- 3.4. The Rights of the Individual
- 3.5. The Data You Collect
- 3.6. Purposes of Data Collection and How You Use the Data
- 3.7. Your Personal Data Sharing Policies
- 3.8. Selling Personal Information
- 4.1. Website Footer
- 4.2. At the Point of Data Collection
- 4.3. Within Other Policies
- 6. Key Takeaways
What is the CDPA?
The Consumer Data Protection Act protects what's known as personal data, or personal information. Personal information is defined in Section 59.1-571 as, basically, any single piece of data you can use to identify an individual person:
So, examples of "personal data" can include information such as names, email addresses, IP addresses, and even employment data.
As a business, you have various obligations under the CDPA. You must:
- Take steps to reduce or minimize how much data you collect.
- Ensure you get consent before collecting "sensitive" personal data. This includes all data belonging to minors, and data you can use to identify sensitive characteristics like someone's mental health status.
- Provide sufficient cybersecurity to protect any personal data you handle.
Although we're focusing on Privacy Policies, just be aware it's not the only obligation you have under the Act.
Who Must Comply With the CDPA?
To be clear, Virginia's CDPA only applies if you're a commercial, for-profit business selling goods or services to Virginia residents and you either:
- Derive more than 50% of your gross revenue from selling personal information and process personal data belonging to more than 25,000 residents, or
- Process data belonging to more than 100,000 Virginia consumers
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
First, you need to introduce the Policy, explain which laws apply, and provide some contact details for people to reach you.
Next, you must include clauses explaining the following:
- Individual rights: This clause tells people what rights they have, and how to exercise them.
- Personal data collection: What information you collect from someone.
- Purpose of collection: The reason(s) why you process this data.
- Personal data usage: What you do with the data.
- Third party sharing: Who you share the data with, and why.
- Sale of data: The clause detailing whether you sell data, and who you sell it to.
Now, let's break down each of these clauses, one at a time.
The introduction simply sets out what the document is, and what it covers.
- Include the effective date i.e. the date the Policy came into force.
Here's a good example from Papa Murphy's. In just a few lines, it sets out what they Policy is, what it covers, and where people can find out more:
You'll note they last updated the Policy on November 30, 2020. Make sure to always change the date to reflect when you last amended your Policy so people know how up to date (or not) that it is.
In this context, jurisdiction simply means which federal or state laws govern the agreement between you and the consumer. In other words, it's which laws apply if there's ever a court action or disagreement.
Wendy's, for example, relies on laws set by the State of Ohio:
As you'll see from this clause, you don't need much detail here. Just include enough so consumers know which state or federal laws apply.
For example, Papa Murphy's provides an email address, phone number, and mailing address. Including at least one free option like an email address is good practice:
The Rights of the Individual
As set out in Section 59.1-573, the CDPA gives consumers five specific rights over their personal data. Basically, people can ask to see what data you hold on them, and you must delete it upon request. You must also amend any errors they point out, and if they refuse to let you sell their data, you must comply with this:
The Data You Collect
Tell customers what data you collect, and how you collect it. Give examples, but don't be so restrictive that you can't collect anything else.
- Use language like "such as" to show the examples you're giving aren't exhaustive.
- Be clear about the ways you collect data e.g. maybe someone voluntarily shares it with you, or you collect it through automated means.
Wendy's for example, collects data in three ways:
Notice how the phrasing says "such as" to illustrate how the list isn't exhaustive, but is rather giving some examples:
Here's an example from Macy's of how you might structure this section:
Purposes of Data Collection and How You Use the Data
Tell customers why you're collecting the data in the first place e.g. to complete an order or to personalized your marketing. Again, the clause should be clear, succinct, and easily understood.
Papa Murphy's has a good example of how to set out a clause like this in short, simple paragraphs:
Tell consumers how you plan on using their data. The golden rule is this: If you can't articulate why you need a piece of data e.g. someone's date of birth, then you shouldn't collect it.
To be sure you're not limiting yourself, you can use language like "for example" or "such as" to ensure people know you might use their data for other purposes.
Barnes & Noble, for example, uses the phrase "manage our business," which can be interpreted very widely:
Your Personal Data Sharing Policies
Macy's helpfully breaks this clause down into concise, clear paragraphs with bolded wording so consumers can easily the key information:
Selling Personal Information
Here's an example from Wendy's. Wendy's tells customers they have the right to opt out:
Wendy's also provides the means for users to do so:
Note that even though the CCPA is referenced in the clause, the same approach will go for the CDPA and other privacy laws. The concept remains the same even though the law may have a different name.
Here's an example from Martha Stewart:
You'll notice the link is right beside the Terms of Service and other critical information. Users are familiar with this set-up of putting important links in the footer, so it's a common best practice.
At the Point of Data Collection
Under the CDPA, you don't always need someone's consent to collect their data. However, remember, if you're collecting sensitive data, you will need consent.
What constitutes consent? Well, under the CDPA, it must be clear, freely offered, and affirmative. In other words, a consumer must do something to clearly indicate they're consenting to personal data processing.
Within Other Policies
Wendy's places the key information consumers need at their fingertips in this useful summary of contents.
If you're a business selling goods or services to Virginia residents, you need to comply with Virginia's CDPA. This Act gives people new rights over their personal data, and it restricts what businesses can do with the personal information they collect.
- Whether you collect personal data from consumers
- Which laws apply, should anything go wrong with the agreement
- Why you need a consumer's personal information
- Who you share the personal data with
- Whether you sell personal information to third parties
- What rights a consumer has over their personal data
- How they can contact you to exercise these rights
If you fail to comply with your responsibilities under the CDPA, you could be fined up to $7,500 per violation.