No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

GDPR and CCPA Left Gaps in Consumer Data Protection. Virginia’s New Privacy Law Closes Them.

What Companies Need to Know About Virginia’s New Privacy Law

by Chris Pin
May 19, 2021
in Data Privacy, Opinion
A vector of data privacy illustrations

GDPR and CCPA have proven to be landmarks of consumer data protection. Virginia’s new privacy law moves the needle even further. While the CDPA may evolve before it goes into effect in 2023, there is reason to believe it will have a global impact on privacy.

In early March 2021, Virginia passed a data privacy law called the Consumer Data Protection Act (CDPA). The CDPA brings together a combination of concepts from the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). It also makes data privacy regulations easier for the public to understand and leverage. There is reason to believe that this will result in more data subject access requests, which could have a similar effect in California, the E.U., and other jurisdictions that pass data privacy laws in the future.

The good news for Virginia companies is that the CDPA has been adjusted to avoid many of the compliance headaches both the CCPA and GDPR have created. The CDPA proposes narrower definitions regarding development and implementation that exclude the categories of data and businesses where there was (and still is) some confusion with respect to compliance. Now that the law has passed, what does it mean for companies with ties to Virginia that have been working to comply with regulations such as the GDPR since 2018?

https://twitter.com/psb_dc/status/1369822261797154817

Although companies do not need to comply with Virginia’s new privacy law until 2023, it’s important they implement a strategy now. To fully understand how this new data privacy law can apply to your company, let’s take a look at some key points from the CDPA, such as consumer rights, data processing obligations, data controllers and data processors. From there, we’ll explore where and how companies may need to enhance their privacy policies and data processes.

Understanding the Key Points of the CDPA

Consumer Rights

Virginia consumers will have the right to know whether or not a business is processing their personal information. They will also have the right to access their personal information and to obtain a copy of it in a readily usable format. Going further, they will be able to request that inaccuracies in their personal information be corrected by the business that holds it, taking into account the nature of the information itself and the purposes of the business’s processing of the consumer’s information.

Additionally, they will have the right to obtain a copy of their data from the controller in a portable and readily usable format that allows them to transmit the data to another controller. And finally, consumers will have the right to opt out of several different uses of their personal information, including targeted advertising, the sale of their personal information and profiling in furtherance of decisions that produce legal or similarly significant effects.

Consumer Rights Response Time and Obligations

Businesses that are subject to Virginia’s new privacy law must respond to requests by consumers to exercise these rights without “undue delay” within 45 days of receipt. There is, however, an additional 45-day extension available if reasonably necessary for the business to comply. If a business needs the additional extension, it still must respond to the consumer during the first 45-day period and provide the reason for the delay.

Should a business decline to respond to a consumer request, such as when the business cannot authenticate the consumer’s identity, or if the data requested is not of a nature that is subject to the statute (like employment data), the business may decline to take the action requested by the consumer. In that case, the business must provide the reason for declining and instructions about how to appeal that decision, all within 45 days of receipt of the initial request from the consumer. Any appeal must be decided within 60 days of receipt, and a written explanation must be provided to the consumer, together with a method for the consumer to contact the Attorney General to submit a complaint.

Data Processing Obligations

The CDPA sets out several obligations similar to the GDPR for businesses processing personal data. These obligations include:

  • Data Minimization: Businesses must limit the collection of personal data to “what is adequate, relevant and reasonably necessary” in relation to the purpose for the data processing.
  • Purpose Limitations: Businesses must process personal data only for purposes reasonably necessary or compatible with the purposes disclosed in the business’s privacy policy.
  • Security Controls: Businesses must establish, implement and maintain “reasonable administrative, technical and physical data security practices” to protect the confidentiality of personal data.
  • Consent: Businesses must obtain express consent from consumers when the business processes sensitive data or deviates from the purposes disclosed within the business’s privacy policy.
  • Data Protection Assessments: Businesses must conduct data protection assessments (DPAs) to evaluate the risks associated with the following data processing activities:
    • The sale of personal data,
    • When processing sensitive personal data,
    • When processing personal data for targeted marketing purposes,
    • When processing personal data for profiling purposes and
    • Instances where processing presents a heightened risk of harm to consumers.

Data Controllers and Data Processors

Just like the GDPR and CCPA, Virginia’s new privacy law reiterates that “controllers” are fully responsible for their “processors.” This requires that there is a contract in place between a company and all of their vendors who share or sell data between each other and that it must include, at a minimum, provisions that address:

  • The type of personal data to be shared;
  • Instructions detailing the processing done by the recipient of the personal data;
  • The duration of the processing;
  • A duty to maintain the confidentiality of the personal information by both parties;
  • An obligation that the processor deletes or returns the data to the controller at the end of the services unless the processor is legally required to retain it; and
  • A right of the controller to assess the processor’s policies (itself, or by using a designated assessor) and technical and organizational measures with respect to compliance with CDPA — effectively an audit/diligence provision — along with the right of the controller to receive a report requiring the processor to flow these obligations to downstream vendors and subcontractors.

What’s Next For Virginia Companies?

Virginia’s CDPA will take effect January 2023, which gives the state plenty of time to outline and update exceptions to the law. That means what’s detailed above could change before it’s fully enforced. In addition, the exemptions to the law, which were not covered above, could also change prior to the enforcement date.

However, what’s great about the CDPA is that it’s attempting to make privacy laws more understandable and more easily leveraged by consumers. The law highlights ways to opt out of consent and/or processing, as well as how to contact the Attorney General, if it’s required. This may lend itself to not only an increase in CDPA consumer requests, but also increases in both GDPR and CPRA data subject access requests, since those privacy notices could also be updated and simplified as well.

Answering the Big Questions

Zooming out, Virginia’s new privacy law indicates a continuing trend that requires companies to know and be in control of their data. If a company wants to be able to properly protect data and provide consumer rights, it’s imperative that they know the five W’s and one H of data: Who, What, Why, When, Where and How.

Here’s the breakdown:

  • Who: Whose data it is determines the controls a company is legally obligated to apply to the data.
  • What: What the data entails will determine where the data should be stored, whether it’s on a public or private network. That will also determine whether the data should be encrypted or masked if it is sensitive in nature.
  • Why: Companies need to determine why they have the data they do. Say for example, an email address. It can be used for many different things; those reasons need to be clearly defined, and the data needs to be organized so as to make this clear.
  • When: It’s also important for companies to know when they received data and to make decisions about how long they can legally store it. If it’s financial data, maybe that time frame is seven to 10 years, depending on the financial requirements. If it’s medical research, it could be indefinitely. Companies should also keep track of when data was last accessed and modified to better inform their storage decisions.
  • Where: Deeply tied to the “who” and “what,” companies need to know where data is stored and why. If data is stored by a third party, companies must make sure to have contracts and requirements in place to properly protect the data.
  • How: The “why” and the “how” are also tightly coupled. How companies are using data should relate back to a company’s privacy policies or notices. Companies need to make sure they are using data as it’s intended so they don’t break a customer’s trust.

In order to comply with CDPA, companies should incorporate data discovery, data classification, data minimization, records of data processing activities and data protection assessments as part of their everyday processes and controls, if they haven’t already. Let’s take a look at each of these functions and their importance:

  • Data discovery: This is the most important function, because a company doesn’t know what a company doesn’t know. If they don’t know what data is where, the risk of the data being used improperly significantly rises.
  • Data classification: Furthermore, if companies aren’t aware of what data they possess, they can’t leverage data classification to organize their data by sensitivity, importance, etc.
  • Data minimization: This process ensures certain data only lives where it is supposed to (and not on several other systems). It also reduces the risk of that data being stored in an improper place.
  • Records and processing: This goes back to the five W’s and one H. Companies need to be able to answer where data is, how it’s being used, what systems it’s in, how are they protecting it and how long are they going to keep it.
  • Data protection assessments: These assessments are also paramount. If a company makes a change to a process or procedure, they need to figure out how it impacted the data involved. Assessments need to be done frequently to ensure any changes made in a company’s environment won’t jeopardize other pieces of the environment.

It’s clear that Virginia’s new privacy law will reignite a focus on data privacy and security given its high visibility thus far, enabling companies impacted to refocus their efforts and potentially expand funding for their initiatives. It will also put the power in the hands of consumers, as they will be better informed and more easily able to leverage their data rights. The CDPA is further proof that data privacy doesn’t stop at California, or Virginia, or any other state for that matter. As data privacy grows and becomes more apparent, laws like the CDPA will help continue to highlight the importance of data compliance.


Tags: Virginia Consumer Data Protection Act (CDPA)
Previous Post

Smarsh Enables Compliant Adoption of MS Teams as Regulated Organizations Migrate from Legacy Collaboration Platforms

Next Post

smartKYC Wins the Award for Best AI Solution for Regulatory Compliance

Chris Pin

Chris Pin

Chris Pin is the Vice President of Security and Privacy at PKWARE. In this role, Chris drives value and awareness for all PKWARE customers regarding the various challenges that both privacy and security regulations bring to the data-driven world. He works closely with all customers and potential customers to help them better understand how PKWARE solutions best fit into their environments and processes. He also works very closely with many other departments such as sales, marketing, partners, and product to help build brand awareness and product insights.  

Related Posts

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

Football stadium with goal posts visible in the distance.

As Goalposts Keep Moving, How Can Companies Ensure Responsible Data Privacy Practices?

by Jim DeLoach
December 9, 2021

Moving the needle on data privacy and infosec can be a Sisyphean task. In the struggle, many directors and executives...

Map of Virginia

The Data Privacy Legislation Floodgates Have Opened: Virginia Passes the CDPA

by Alexander Koskey and Matthew White
March 17, 2021

A growing wave of states are considering and passing data privacy legislation. Virginia is the latest to join. This article...

Next Post
Champion golden trophy for winner

smartKYC Wins the Award for Best AI Solution for Regulatory Compliance

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT