Governor Ralph Northam has approved the Virginia Consumer Data Protection Act (CDPA). CDPA necessitates individuals running a business in the Commonwealth of Virginia to abide by new data privacy and security conditions. The CDPA will be effective on January 1, 2023.
The CDPA has similarities with a number of the privacy and security conditions of the EUs General Data Protection Regulation (GDPR) that was enforced on March 25, 2018, and the California Consumer Privacy Act (CCPA) that became effective on January 1, 2020. Though there are parallels between the GDPR and the CCPA, there are a number of variances, thus compliance with the CCPA or the GDPR won’t assure CDPA compliance.
Just like the CCPA, the CDPA can only be applied to institutions that handle or process a lot of consumer data, with the data threshold double the amount of the CCPA, though there’s no lowest income limit in the CDPA.
The CDPA can be applied to any man or woman or enterprise that:
- Handles or processes the personal records of 100,000 Virginia residents or more in a calendar year; or
- Manages or processes the information of 25,000 or higher Virginia residents within a calendar year and at the same time gets at least 50% of its gross earnings from the selling of personal information.
Entities Exempted from the Virginia Consumer Data Protection Act
Entities presently covered by specific Federal laws including data privacy and security terms are exempt from complying with the CDPA. Organizations covered by these rules are excluded:
- The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- The Gramm-Leach-Bliley Act (GLBA)
HIPAA-and GLBA-covered entities are totally exempt, not simply for data compiled that is covered by the corresponding acts, but also any other information that would normally be protected by the act.
There are additional exclusions for data covered by the:
- Children’s Online Privacy Protection Act (COPPA)
- Family Educational Rights and Privacy Act
- Drivers Privacy Protection Act
- Fair Credit Reporting Act (FCRA)
- Farm Credit Act
- Personal information processed in work contexts
Other entities excluded from CDPA compliance comprise of:
- Any body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision
- Not-for-profit institutions
- Higher education bodies
Virginia Consumer Data Protection Act Specifications
The CDPA protects the personal data of any individual who is a natural person who resides in the Commonwealth acting basically in a personal or household context, however not if they’re working in a business or job context. The personal data definition is any information that is associated or sensibly connected to an identified or identifiable natural individual.
The CDPA is not applicable to data in the public domain nor deidentified data. Public domain data is defined as data that a company has a valid basis to consider is legitimately offered to the public by means of broadly distributed media, by the consumer, or by someone to whom the consumer has revealed the information except when the consumer has confined the data to a distinct audience.
CDPA discourages covered entities from selling personal information with no permission, with sale described as the trading of personal data for monetary motive by the controller to a third party.
CDPA puts limits on data collection, constraining information to what is enough, suitable and reasonably essential in terms of the reasons for which the data is processed. Data could merely be employed for applications that are reasonably required and agreeable with the purposes that consumers have agreed to.
Covered entities need to make sure that reasonable technical, physical and administrative safety measures are put in place to secure any information gathered or processed, and data controllers should do data protection testing, even though the frequency that checks should be done is not specified.
The Consumer Rights of Virginia Locals Under CDPA
See the personal information kept by a covered entity.
Correct flaws in the personal data stored by a covered entity.
Erase personal information kept by a covered entity.
Acquire a copy of the personal data stored by a covered entity.
Opt-out of personal information processing for specific advertising applications.
Appeal the denial of a business to respond to a request in a good time frame (45 days). An answer to any appeal ought to be presented within 45 days.
Fines for Not Complying with the CDPA
There’s no private right of action with the CDPA, therefore consumers could not take legal action against a business whenever they feel their CPDA rights were violated. The Virginia Attorney General imposes compliance and could charge a penalty of approximately $7,500 per violation. Nonetheless, the state Attorney General has to give businesses the chance to make right or “remedy” the violation, with financial charges applying only when those violations were not “cured” in 30 days.