Consumer Data Protection Act Coming to Virginia
Wednesday February 10, 2021
In the first week of February, the Virginia House and Senate passed versions of the Consumer Data Protection Act (CDPA). The reconciliation of the two bills is expected this week. Even if the CDPA becomes law, none of its provisions would take effect until January 1, 2023.
The CDPA would regulate how businesses collect and manage “personal data.” Personal data is data that can be tied to an individual (e.g., phone number, email address) or a specific device (e.g., via IP address).
“As digital marketers, we’re used to constant change and have already adapted to similar regulations, like GDPR. We’ve learned that it’s always better to start planning early to avoid a last-minute scramble.” – Andrew Miller, Co-Founder of Workshop Digital
While we’re not attorneys—nor is this legal advice—we do know the outlines of how the legislation may affect businesses and, in particular, marketers.
The CDPA would apply mainly to businesses collecting data on 100,000+ users each year.
The CDPA would apply to Virginia-based businesses and businesses that market and sell to Virginia residents and “control or process personal data of at least 100,000 consumers” in a calendar year. (If your company makes at least 50% of its revenue by selling consumer data, the consumer threshold drops to 25,000.)
The legislation exempts non-profits, universities, and government agencies. It also excludes organizations whose data management must already comply with GLBA (for financial information) or HIPAA (for medical information). For the latter, the rationale is to avoid creating two data standards with which businesses must comply.
3 things that businesses would have to do
1. Respond to consumer data requests within 45 days
Companies would be required to let someone:
- Know if a company processes or has access to their personal data.
- Correct inaccuracies in their personal data.
- Delete their personal data.
- Get a copy of their personal data.
- Opt out of allowing a company to sell their personal data or use it for targeted advertising. (Companies can’t discriminate against those who opt out, with exceptions, like loyalty programs.)
Companies must respond to consumer requests (at no charge) up to twice annually. Beyond that, they may charge consumers “a reasonable fee.”
While the language is general, the legislation states that companies are not required to associate de-identified data (e.g., users in Google Analytics) with a specific person (e.g., a record in a CRM).
- The categories of data you process as well as which categories of that data you share with third parties (and the types of third parties that receive such data).
- The purpose of collecting the personal data that you collect.
- Details on how consumers can contact you to request their data, opt out, delete their data, etc.
3. Assess your data security
Additional language requires a company to “conduct and document a data protection assessment” on how it processes and uses personal data.
If your company is investigated, the Virginia Attorney General could request a copy of the assessment to help determine whether you’re in compliance. The security assessment would apply only to data gathered after January 1, 2023.
Companies are not responsible for the actions of third parties that have access to their data. (Similarly, a third-party data processor isn’t responsible for the actions of the company that shared the data with them.)
The Attorney General, not private citizens, would enforce the law.
In the event of a violation, the Attorney General would give a company 30 days’ written notice of the violation. If the company fixes the issue and commits, in writing, that no further violations will occur, no fines are to be assessed.
Failing that, the Attorney General is able to levy a fine of up to $7,500 per violation. (Although not explicitly stated, if the interpretation aligns with other data-privacy legislation, the penalty would be calculated at $7,500 per consumer violated—not per violation affecting any number of consumers.)
The penalty funds, in turn, would be used to support other CDPA investigations.
The Virginia legislation is less stringent than GDPR and tries to improve upon the California Consumer Privacy Act.
All three laws give consumers the right to find out what personal data a company has about them, to request that the company not sell it, and to ask that they delete it.
The scope of the CDPA would also work similarly to GDPR. If your business is located in the EU, then GDPR applies to you, and if you’re a business outside the EU that targets EU consumers, it applies to you, too. Substitute “Virginia” for “EU” and “CDPA” for “GDPR,” and the rule is the same.
There are, however, some meaningful differences:
- CCPA has exclusions for data that’s regulated by GLBA or HIPAA but not for the institutions that manage the data. So, under the California law, banks and hospitals have to manage data about account balances or medical history separately from data used for marketing purposes. The CDPA excludes the institutions—if you’re subject to GLBA or HIPAA, you’re not subject to the CDPA.
- CCPA has fuzzy language when it comes to “selling” data. In some cases, data sharing could be interpreted as “selling” data, even though the businesses involved wouldn’t see it that way. For example, if a vendor or partner with whom you freely shared data then used that data for something else, CCPA could qualify that as a “sale.” CDPA makes explicit that there must be direct, monetary compensation for an exchange of data to count as a “sale.”
- Unlike the CCPA, the VA bill excludes employee data entirely—it applies only to “the individual or household context.”
“Consumer opinions are really solidifying when it comes to data privacy. Those opinions are also turning into actions. There’s an emerging cohort of consumers who can (and have!) ditched companies based on their privacy policies. Being at the forefront of data security is not just about complying with laws like CDPA; it’s making an investment in a growing segment of consumers and clients.” – Larissa Williams, Director of SEO at Workshop Digital
Want to learn more? Workshop Digital will host a roundtable discussion of the legislation to help you prepare your business on Tuesday, February 16. Register for free.
Workshop Digital offers ethical, accountable online marketing solutions to help businesses thrive. From Search Engine Optimization (SEO) to Pay Per Click (PPC) to Conversion Optimization Testing, we provide accountability so business owners can make intelligent decisions about their marketing budgets, better engage with their customers, and continue to grow year after year.