The Ad Matter 2021: Meet the CDPA, Y'all

Meet the CDPA, Y’all:  Virginia’s New Privacy Law   

It’s been a while since I posted a new Ad Matter blog, not that there weren’t items to report on (there were many), but this development deserves the first post in 2021.

Who would have thought that our Commonwealth would be the second state in the US to pass a comprehensive Privacy Law?   

The Consumer Data Protection Act (“CDPA”) was signed into law by Governor Northam on March 2, 2021. It’s very similar to the loved/hated CCPA of California, with a bit of GDPR thrown in for good measure.

We are now one of only two states with such a law. While those companies who are subject to the law have until 2023 to comply, it can’t be too early to start preparing.  Additionally (coincidentally?), the CPRA, California’s newest privacy reg, will also go into effect in 2023.  So if you are into spring cleaning, add “privacy policy audit” to your list.

Who does the CDPA apply to?

Persons who conduct business in Virginia, produce products or provide services to residents in Virginia, and controls or processes the persona data of 100,000 “consumers” during a calendar year; or 25,000 “consumers”, and derives over 50 percent of gross revenue from the “sale” of personal data.

What’s the definition of a Consumer under this law?

A consumer is a Virginia resident acting in their individual or household capacity.  A consumer is not someone acting in a commercial or employment role. In other words,  data collected by a business from its employees or business contacts is excluded from the definition of personal data. 

How is sale defined under the CDPA?

Recall the headache that is the definition of “sale” under the CCPA. Virginia thankfully defines a sale of personal data as “the exchange of personal data for monetary consideration by the controller to a third party.”  There are other defined exclusions as well. 

What is considered Personal Data? 

This is the holy grail of defined terms in any privacy reg. While the CCPA and GDPR both have sweeping definitions as to what they consider personal information or data, the CDPA merely defines personal data as “information that is linked or reasonably linkable to an identified or identifiable natural person”. Notably it does not include information linked to a household (California). Other exclusions apply such as de-identified data and publicly available information.  

Are you taking this personally or just being sensitive?

One new addition in the upcoming CPRA is the term “sensitive data”.  This is data that doesn’t rise to the level of true personal data, but is still under some protection under the new California reg.   Virginia, similarly, has a category of data called  “sensitive data”.  This category includes personal data that could show racial or ethnic origin, religious beliefs, precise geolocation data, sexual orientation,  personal data collected from a known child, among others.  In order to process any kind of sensitive data, any business covered by the law will need to get a consumer’s consent.   

Our cousins from across the pond:  The Controller and The Processor

In the EU under the GDPR, there are two distinct roles in the collection and processing of personal data: The Controller is the entity who owns the data and will control how it’s used and collected while the Processor is a third party who actually processes the data (upon request and direction of the Controller).     Virginia adopts similar terminology and attributes similar responsibilities to each role. For example, in under all three laws, there are limits on the processing of personal data such as limiting it to data that is “adequate, relevant and reasonably necessary” in relation to the purpose for which the data was collected and each law requires consent from the consumer processing any sensitive data (recall that personal and sensitive are slightly different). The CDPA also requires a written contract between the Controller and the Processor.   Further, a Controller must provide a comprehensive and transparent privacy policy to consumers outlining the categories of data collected, the purpose for processing the data, the categories of data shared with third parties, and directions on how consumers can access and or delete their data.

If a Controller sells the collected data to third parties or processes personal data for targeted advertising, it must disclose this to consumers. Unlike some of the other laws, there is no rule on how these disclosures should be made.

Are my rights under the CDPA similar to those under the other laws?

In a nutshell, yes.  The CDPA gives consumers in Virginia the right to delete their data, obtain their data in a portable format, opt out of certain kinds of activities such as the sale of personal data, and correct inaccuracies in their personal data (this is not an exhaustive list).

Who do I call about non compliance issues?

There is no private right of action under this law.  Enforcement of the CDPA is solely with the Attorney General’s office.   A violator has thirty days to cure any violation that the AG finds but violations that have not been cured are subject to a fine of up to $7,500 per violation.

While this is not an exhaustive list of the many details of the CDPA, it does show some highlights that all businesses should be aware of.  It also is quite revealing in that, while CCPA and GDPR, started out as a bit of a headache, they seem to be structurally sound and a blueprint for others.

Why This Matters:  While Congress may never agree on a national standard, states (and big tech) are taking matters into their own hands.  Watch as more and more states develop their own strategies for protecting consumer information. And above all, take a look at your own policies.  Enforcement actions are just around the corner once the new law is in effect.