Virginia is the latest state to make traction on signing comprehensive data privacy legislation into law, following close on the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Right Act (CPRA). As additional states consider proposed privacy bills and lawmakers discuss the potential for a sweeping federal regulation, many organizations are continuing to wonder how to establish and maintain compliance in this rapidly changing environment.
In March, Virginia approved the Consumer Data Protection Act (CDPA), which will take effect starting in January 2023. Organizations obligated under the law are evaluating the CDPA’s scope, requirements and enforcement, and how the law will impact their current business and data processing practices. For many organizations, compliance will involve incorporating CDPA requirements with existing GDPR, CCPA, or HIPAA programs. Others will be facing data protection regulation for the first time and thus designing their compliance programs from scratch. In all cases, organizations are looking for an answer to the question of how these efforts will dovetail with requirements under additional data privacy laws on the horizon.
Even though the CDPA’s scope and application differ somewhat from GDPR and CCPA/CPRA, many of the CDPA requirements mirror those within existing laws. For instance, it includes sales opt-out obligations like CCPA and provides data subjects with the right to opt-out of profiling, like GDPR. For organizations with an existing privacy program, the central difficulty in operationalizing CDPA or other new privacy laws lies in identifying, assessing, and remediating variations from already established privacy procedures. To do this, whether now in response to CDPA or in the future for additional regional regulations, organizations can follow five key steps. These steps can be replicated to adapt privacy programs as needed, and include:
Step 1: Identify requirements
The scope of the CDPA imposes obligations on entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents, and that either control or process the personal data of at least 100,000 consumers during a calendar year; or control or process the personal data of at least 25,000 consumers and derive at least 50% of gross revenue from the sale of personal data. Notable exceptions—i.e. companies not subject to CDPA regulation—include financial organizations governed by GLBA and health care industry organizations subject to HIPAA for employee-related data or benefits administrative information. The primary requirements in the CDPA include:
- Notice: § 59.1-574. Organizations need to inform consumers about the purpose of processing.
- Choice and consent: § 59.1-574. A. 5. Organizations need to obtain affirmative consent before collecting sensitive information.
- Consumer rights: § 59.1-573. Consumers have the right to access, rectify, delete, obtain a copy of their data, and opt-out from targeted advertising, the sale of personal data, or profiling.
- Disclosure to third parties: § 59.1-575. Controllers should ensure that appropriate contractual requirements are in place with processors who handle personal data.
- Data protection assessments: § 59.1-576. Controllers should perform data protection assessments for specific data processing activities, including those involving, among others, targeted advertising, the sale of personal data, or for purposes of profiling.
- Security: § 59.1-574. A. 3. Organizations should maintain reasonable administrative, technical, and physical data security practices.
- Exemptions: § 59.1-577. De-identified data sets are exempted from CDPA requirements under certain circumstances.
Step 2: Determine if CDPA applies
Based on the scope of the CDPA, organizations should perform a business impact assessment to determine exposure to the law. A thorough business impact assessment consists of a data map review to determine if the organization processes Virginia resident personal information and any inherent risks in that processing. The data map should identify business process activities, systems, products, and service providers handling personal information to determine business purpose and data flow.
Step 3: Assess variations in CDPA
Based on the data map review completed in step two, organizations can examine variations that may exist in the way CDPA rules are applied to their specific business, practices, and privacy control domains. Below, the CDPA’s requirements are categorized against the Generally Accepted Privacy Principles (GAPP) and noted examples of deviations against CCPA.
|GAPP Control Domains||Deviations Against CCPA|
|Notice||Information on the right to opt-out from targeted advertising.|
|Choice & Consent||Obtain affirmative consent for sensitive information.
Provide an opt-out button for purposes of targeted advertising.
|Access (or Consumers rights)||Ability to opt-out for purposes of targeted advertising.|
|Monitoring & Enforcement||Perform data protection assessments for certain processes.|
|Disclosure to Third Parties||Determine controller vs. processor role.
The controller may perform audits of processors.
Step 4: Update or add privacy controls
Assessing deviations provides an understanding of the areas of your privacy control domains that may need to be updated. Key areas to consider are:
- A review of the company’s Privacy Notice and possible language updates
- Updates to existing policies and training related to privacy
- Data subject access request procedures
- Consent and opt-out procedures
- Third-party contract language
- Privacy impact assessment processes
Of note is that while the CDPA applies solely to Virginia resident personal information, the CDPA also grants the Attorney General discretion in the ability to request “any data protection assessment that the Attorney General deems relevant” during an investigation. Products, assets or processing activities hosted in Virginia may be construed as relevant, and so data privacy impact assessments performed on processes or products involving these data centers may require additional scrutiny.
Step 5: Prepare for new and changing privacy laws
Even after an organization has fully addressed its exposure under CDPA, the question of how to ensure the privacy program is constantly nurtured amid new privacy laws remains. For example, the CPRA also becomes effective in January 2023 and will need to be operationalized—in addition to CCPA controls—within all businesses with a presence in California, ahead of that date. Organizations with an international footprint will need to adapt to an evolving spectrum of global privacy laws. In light of this, it’s important to be proactive and consistent, with a documented process for identifying upcoming requirements, categorizing them against current privacy controls, identifying gaps, and defining control and ownership for remediation and implementation. This will require a strong data inventory foundation and key stakeholder support for data privacy activities. A robust change management process to consistently add and modify programs per emerging laws and ensure employee cooperation with new policies is also critical.
The U.S. is still in its infancy when it comes to robust data privacy regulation. But change is afoot. We’re seeing a surge of activity among lawmakers across most states and industry-focused governing bodies, with the goal of strengthening personal data protection and adding teeth to how personal data handling is enforced. This recent development in Virginia is a good example of the types of laws that will be introduced and approved in the coming years. Organizations will need to be ready with a flexible data privacy foundation and repeatable processes to evaluate and implement new requirements as they arise.
About the Authors
Deana Uhl is a Managing Director in the FTI Technology practice. She provides consulting to corporate clients, with a focus on designing, implementing, and enabling change management for information governance, data privacy, data security, and e-discovery programs.
Simon Gaillard is a Senior Consultant in the FTI Technology practice. He helps organizations build sustainable privacy programs and manage their data in a more secure and effective manner in line with GDPR, CCPA, HIPAA, and other data regulations.