Virginia Consumer Data Protection Act Joins in on Consumer Privacy Protections
Virginia has become the latest state to pass more rigid consumer privacy laws with its Consumer Data Protection Act (CDPA), passed in early March 2021. This new Virginia privacy law will take effect January 1, 2023 — the same date that the revised California Privacy Rights Act (CPRA) becomes effective.
If you do business with consumers in Virginia and reach certain volume thresholds, then you’re required to comply. However, if you do business with consumers in California and meet the Virginia Consumer Data Protection Act (CDPA) legal thresholds, you must also comply with California’s requirements.
With so many acronyms, here’s a guide to keep them all straight:
The Virginia Consumer Data Protection Act will extend requirements around sensitive personally identifiable information (PII). It also calls out more specific opt-out details for not only “selling” personal information, but also for the use of personal data in targeting and profiling marketing efforts. Data protection assessments will be required, as will obligations around confirming deletion or processing incoming data requests, and an appeals process. Virginia CDPA even extends this to not only data collected from a consumer, but also potentially data obtained from other sources.
Data Protection assessments, also called Data Privacy Impact Assessment (DPIA), are an extensive process to identify data privacy issues and risks within a company’s data and processing systems. The main European General Data Protection Regulation (GDPR) includes mandatory data protection assessments as part of proving compliance. While the CCPA does not include assessments, it’s 2023 update, CPRA, does include assessments – though of course the GDPR assessments have different requirements than the CPRA and what will be introduced as requirements under the CDPA.
While some companies have been moving to automated ways of handling opt out and reporting requests, CDPA may make that more challenging. New requirements around the appeals process, vendor management, and more transparency around data uses (including how data use changes after one “opts-in” and notification of these changes) could introduce new manual processing and individual review not accommodated by automation.
Although the Virginia Consumer Data Protection Act prevents class action lawsuits against violations, the Attorney General of Virginia will be able to administer fines up to $7,500 per instance of violations that aren’t addressed and corrected.
A-Z State Privacy
While the new Virginia privacy law is relatively similar to California’s CCPA/CPRA laws, every state has at least one law around online use of data privacy.
Alabama, Alaska, Arizona….
All 50 states have laws covering when a data breach occurs. In 2018, Alabama was the last state to add consumer protections against security breaches involving personal identifiable information (PII) data.
Alaska prohibits printing any more than the last four digits of a consumer’s credit or debit card number on a receipt.
As many as 35 states have laws specific to disposing of PII data, but they all have their own nuances. For example, Arizona’s law only applies to paper records.
Nuanced Consumer Privacy Laws
Illinois has the toughest laws around use of biometric (iris scan, fingerprint, image recognition) data. Consent is required to collect this type of sensitive personal information.
Maine is the only state that has laws prohibiting law enforcement from tracking a person’s location using Global Positioning System (GPS) or other geo-location info built into smartphones and computers.
Nevada has a law similar to California’s CCPA, but is specific to actually selling PII (in exchange for monetary compensation). Oddly though, there are exemptions for manufacturers of motor vehicles or persons who repair or service motor vehicles.
While CCPA and CDPA are enforceable by their respective Attorney Generals, California’s 2023 CPRA would establish an agency to investigate and enforce compliance. New York is currently considering a new law which could be enforced by any person who has been injured (not just the Attorney General).
All of this hasn’t even touched on federal laws such as FERPA or HIPAA. The Family Education Rights and Privacy Act (FERPA) originated in 1974 and offers federal-level protections for student education records. The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 is a federal law that offers even stronger protections for personal medical information.
Tips to Approach Changing Consumer Privacy Laws
Luckily, there’s some movement to introduce National Data Privacy legislation, which could greatly simplify efforts by standardizing requirements across the United States.
In the meantime, keep these tips in mind:
- Plan for flexibility. As we know, privacy laws will continue to evolve and will only become tighter, and hopefully more consistent, nationwide
- Build trust. Use this as an opportunity to build trust with your customers. There are marketing and brand advantages to being clear, honest, and upfront with your customers, by showing that you care about protecting their information
- Start with the rigorous laws. Focus on the most rigorous laws as lessor laws in other states will be more than covered by your compliance (unless you fall into one of the unique categories called out above)
- Consult your legal team. There’s plenty of information available online, but rely on your legal counsel to confirm your company’s compliance based on varying requirements
Is your head spinning from all the legal implications and challenges? If so, I offer this quick break to flash back to your grade school days and the resounding chorus of 50 Nifty United States (from 13 original colonies…shout ’em, scout ’em, tell all about ’em!)