GDPR and CCPA Left Gaps in Consumer Data Protection. Virginia’s New Privacy Law Closes Them.

In early March 2021, Virginia passed a data privacy law called the Consumer Data Protection Act (CDPA). The CDPA brings together a combination of concepts from the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). It also makes data privacy regulations easier for the public to understand and leverage. There is reason to believe that this will result in more data subject access requests, which could have a similar effect in California, the E.U., and other jurisdictions that pass data privacy laws in the future.

The good news for Virginia companies is that the CDPA has been adjusted to avoid many of the compliance headaches both the CCPA and GDPR have created. The CDPA proposes narrower definitions regarding development and implementation that exclude the categories of data and businesses where there was (and still is) some confusion with respect to compliance. Now that the law has passed, what does it mean for companies with ties to Virginia that have been working to comply with regulations such as the GDPR since 2018?

https://twitter.com/psb_dc/status/1369822261797154817

Although companies do not need to comply with Virginia’s new privacy law until 2023, it’s important they implement a strategy now. To fully understand how this new data privacy law can apply to your company, let’s take a look at some key points from the CDPA, such as consumer rights, data processing obligations, data controllers and data processors. From there, we’ll explore where and how companies may need to enhance their privacy policies and data processes.

Understanding the Key Points of the CDPA

Consumer Rights

Virginia consumers will have the right to know whether or not a business is processing their personal information. They will also have the right to access their personal information and to obtain a copy of it in a readily usable format. Going further, they will be able to request that inaccuracies in their personal information be corrected by the business that holds it, taking into account the nature of the information itself and the purposes of the business’s processing of the consumer’s information.

Additionally, they will have the right to obtain a copy of their data from the controller in a portable and readily usable format that allows them to transmit the data to another controller. And finally, consumers will have the right to opt out of several different uses of their personal information, including targeted advertising, the sale of their personal information and profiling in furtherance of decisions that produce legal or similarly significant effects.

Consumer Rights Response Time and Obligations

Businesses that are subject to Virginia’s new privacy law must respond to requests by consumers to exercise these rights without “undue delay” within 45 days of receipt. There is, however, an additional 45-day extension available if reasonably necessary for the business to comply. If a business needs the additional extension, it still must respond to the consumer during the first 45-day period and provide the reason for the delay.

Should a business decline to respond to a consumer request, such as when the business cannot authenticate the consumer’s identity, or if the data requested is not of a nature that is subject to the statute (like employment data), the business may decline to take the action requested by the consumer. In that case, the business must provide the reason for declining and instructions about how to appeal that decision, all within 45 days of receipt of the initial request from the consumer. Any appeal must be decided within 60 days of receipt, and a written explanation must be provided to the consumer, together with a method for the consumer to contact the Attorney General to submit a complaint.

Data Processing Obligations

The CDPA sets out several obligations similar to the GDPR for businesses processing personal data. These obligations include:

• Data Minimization: Businesses must limit the collection of personal data to “what is adequate, relevant and reasonably necessary” in relation to the purpose for the data processing.
• Purpose Limitations: Businesses must process personal data only for purposes reasonably necessary or compatible with the purposes disclosed in the business’s privacy policy.
• Security Controls: Businesses must establish, implement and maintain “reasonable administrative, technical and physical data security practices” to protect the confidentiality of personal data.
• Consent: Businesses must obtain express consent from consumers when the business processes sensitive data or deviates from the purposes disclosed within the business’s privacy policy.
• Data Protection Assessments: Businesses must conduct data protection assessments (DPAs) to evaluate the risks associated with the following data processing activities:
  • The sale of personal data,
  • When processing sensitive personal data,
  • When processing personal data for targeted marketing purposes,
  • When processing personal data for profiling purposes and
  • Instances where processing presents a heightened risk of harm to consumers.

Data Controllers and Data Processors

Just like the GDPR and CCPA, Virginia’s new privacy law reiterates that “controllers” are fully responsible for their “processors.” This requires that there is a contract in place between a company and all of their vendors who share or sell data between each other and that it must include, at a minimum, provisions that address:

• The type of personal data to be shared;
• Instructions detailing the processing done by the recipient of the personal data;
• The duration of the processing;
• A duty to maintain the confidentiality of the personal information by both parties;
• An obligation that the processor deletes or returns the data to the controller at the end of the services unless the processor is legally required to retain it; and
• A right of the controller to assess the processor’s policies (itself, or by using a designated assessor) and technical and organizational measures with respect to compliance with CDPA — effectively an audit/diligence provision — along with the right of the controller to receive a report requiring the processor to flow these obligations to downstream vendors and subcontractors.

What’s Next For Virginia Companies?

Virginia’s CDPA will take effect January 2023, which gives the state plenty of time to outline and update exceptions to the law. That means what’s detailed above could change before it’s fully enforced. In addition, the exemptions to the law, which were not covered above, could also change prior to the enforcement date.

However, what’s great about the CDPA is that it’s attempting to make privacy laws more understandable and more easily leveraged by consumers. The law highlights ways to opt out of consent and/or processing, as well as how to contact the Attorney General, if it’s required. This may lend itself to not only an increase in CDPA consumer requests, but also increases in both GDPR and CPRA data subject access requests, since those privacy notices could also be updated and simplified as well.

Answering the Big Questions

Zooming out, Virginia’s new privacy law indicates a continuing trend that requires companies to know and be in control of their data. If a company wants to be able to properly protect data and provide consumer rights, it’s imperative that they know the five W’s and one H of data: Who, What, Why, When, Where and How.

Here’s the breakdown:

• Who: Whose data it is determines the controls a company is legally obligated to apply to the data.
• What: What the data entails will determine where the data should be stored, whether it’s on a public or private network. That will also determine whether the data should be encrypted or masked if it is sensitive in nature.
• Why: Companies need to determine why they have the data they do. Say for example, an email address. It can be used for many different things; those reasons need to be clearly defined, and the data needs to be organized so as to make this clear.
• When: It’s also important for companies to know when they received data and to make decisions about how long they can legally store it. If it’s financial data, maybe that time frame is seven to 10 years, depending on the financial requirements. If it’s medical research, it could be indefinitely. Companies should also keep track of when data was last accessed and modified to better inform their storage decisions.
• Where: Deeply tied to the “who” and “what,” companies need to know where data is stored and why. If data is stored by a third party, companies must make sure to have contracts and requirements in place to properly protect the data.
• How: The “why” and the “how” are also tightly coupled. How companies are using data should relate back to a company’s privacy policies or notices. Companies need to make sure they are using data as it’s intended so they don’t break a customer’s trust.

In order to comply with CDPA, companies should incorporate data discovery, data classification, data minimization, records of data processing activities and data protection assessments as part of their everyday processes and controls, if they haven’t already. Let’s take a look at each of these functions and their importance:

• Data discovery: This is the most important function, because a company doesn’t know what a company doesn’t know. If they don’t know what data is where, the risk of the data being used improperly significantly rises.
• Data classification: Furthermore, if companies aren’t aware of what data they possess, they can’t leverage data classification to organize their data by sensitivity, importance, etc.
• Data minimization: This process ensures certain data only lives where it is supposed to (and not on several other systems). It also reduces the risk of that data being stored in an improper place.
• Records and processing: This goes back to the five W’s and one H. Companies need to be able to answer where data is, how it’s being used, what systems it’s in, how are they protecting it and how long are they going to keep it.
• Data protection assessments: These assessments are also paramount. If a company makes a change to a process or procedure, they need to figure out how it impacted the data involved. Assessments need to be done frequently to ensure any changes made in a company’s environment won’t jeopardize other pieces of the environment.

It’s clear that Virginia’s new privacy law will reignite a focus on data privacy and security given its high visibility thus far, enabling companies impacted to refocus their efforts and potentially expand funding for their initiatives. It will also put the power in the hands of consumers, as they will be better informed and more easily able to leverage their data rights. The CDPA is further proof that data privacy doesn’t stop at California, or Virginia, or any other state for that matter. As data privacy grows and becomes more apparent, laws like the CDPA will help continue to highlight the importance of data compliance.