What you need to know about the Consumer Data Protection Act

Jan. 1, 2023 – Put this date in your calendar, and circle it in red. On this day, the second major state law governing consumer data privacy and security goes into effect, and it will likely affect your company’s operations.

I’m talking about Virginia’s Consumer Data Protection Act, commonly referred to by its acronym CDPA. It sounds quite similar to two other major data laws: the CCPA, the California Consumer Privacy Act, and GDPR, the European Union’s General Data Protection Regulation. 

If your company revamped its data policies to comply with GDPR, CCPA, or both, you’re probably in a good position to comply with CDPA. If not, you now have 8.6 million (Virginia’s estimated population as of 2020) more reasons to get your data processes, procedures, and policies in order. Like CCPA and GDPR, Virginia’s CDPA has many implications for marketers. 

This blog post will provide a general introduction to CDPA, explain how it compares with CCPA and GDPR, and tell you what you need to do now to comply with these laws. Disclaimer: It reviews these laws at a high level and should not be considered legal advice. Please consult your legal team or attorneys who specialize in data security and compliance.

What is the Virginia CDPA? CDPA scope, provisions, and penalties

CDPA requires companies to get a consumer’s explicit opt-in to collect or process personal data. It then regulates the collection, processing, storage, security, and use of data.

However, that doesn’t apply to email marketing, where CAN-SPAM’s requirement of a working opt-out remains the legal requirement.

CDPA focuses on how companies collect, use, protect, share, and manage consumer data, making specific provisions for sensitive data like personally identifiable information.

Key points of the Consumer Data Protection Act

1. Who must comply?

• Any for-profit business that conducts business in Virginia and controls, processes, uses, or sells the sensitive or private data of at least 100,000 Virginia residents

OR

• Any for-profit business that controls the data of 25,000 or more Virginia consumers in a single business year and earns at least 50% of its revenue from using consumers’ personal information

2. What is “sensitive data?”

It includes these categories: 

• Racial or ethnic background 
• Religious beliefs or affiliation 
• Health information, including mental health status 
• Citizenship or immigration status
• Personal financial data 
• Genetic or biometric data (fingerprints and face/voice recognition)
• Geolocation

3. How does CDPA impact existing federal laws?

CDPA doesn’t displace the numerous federal laws that already regulate sensitive and personal data collection, use, storage, and management, including these:  

• HIPAA (the Health Insurance Portability and Accountability Act)
• FERPA (the Family Educational Rights and Privacy Act) 
• COPPA (the Children’s Online Privacy Protection Act)
• FCRA (the Fair Credit Reporting Act)

4. What are the penalties for violating the law?

The Virginia Office of the Attorney General is the leading prosecutorial office for investigating CDPA complaints. Only the Attorney General’s office can file complaints or take other actions.

Once a company has received an official complaint, it has 30 days to respond and correct problems. If the company doesn’t comply and is found to have violated the law, the penalty is $7,500 per violation.

5. What are a consumer’s rights under CDPA?

Virginia residents (living in the state or maintaining resident status but living out of state) have these rights under the law:

• Opt out of data processing for targeted advertising or profiling
• Request access to their data
• Correct errors in their data
• Delete their personal data
• Get copies of their data in a format they can use without paying for software applications to read or access it
• Suffer no discrimination from companies for opting out of data collection

6. I don’t know how much of my data covers Virginia residents. What should I do?

Review your data now for geolocation, such as the IP address location your customers use when they browse your website or open and click on emails. Can you map that back to individuals?  

If not, be conservative. Assume everyone in your list is from Virginia. Also, do what you can to identify location, whether by reviewing IP addresses or asking for location wherever you collect data.

7. How does CDPA compare with CCPA and GDPR?

CDPA borrows from both CCPA and GDPR, but its explicit opt-in for collecting and managing data comes directly from the EU law. Here are some other relevant comparisons:

• Narrower compliance: CDPA interprets compliance more narrowly than CCPA. It requires that companies meet thresholds on both the number of Virginia residents they affect and the percentage of revenue attributed to selling their data. CDPA also limits data sales to those where money changes hands. CCPA includes monetary and other considerations.
• Opt-in versus opt-out: Like GDPR, CDPA requires companies to get informed, active consent (no checked boxes or passive permission) when collecting sensitive data. CCPA allows consumers to opt out of selling personal data. 
• “Public information” definition differs: Both CCPA and CDPA exempt “publicly available information” but the two laws define it differently. CCPA’s interpretation is stricter, meaning the information has to have been obtained legally from government records and excludes data collected without the owner’s consent. CDPA interprets the term more broadly to include any information made public, as long as it was exposed legally.

How to prepare for the CDPA?

From a data-management perspective, 2023 is not that far away. These should be among your first steps:

Review Shift Paradigm’s guidance for CCPA compliance: Bookmark and share Shift Paradigm’s 10-step checklist for complying with CCPA. This incredibly valuable checklist suggests several organizational changes, such as creating a cross-department steering committee that includes representatives from every department that touches consumer or customer data. 

Reach out to data teams: It’s in your best interest to build and maintain good relations with your IT and data groups, as well as the companies that store and process your data. 

As a marketer, you are focused on collecting and using your data for email, search, SEO, and other applications. But if that data gets breached after CDPA goes into effect, your company could be in an even bigger world of trouble. Keep in mind that the $7,500 penalty is per violation. Depending on how many Virginians are in your database, you could have quite the predicament.

Follow these four good data practices:

• Don’t collect data you don’t need. Especially on first contact, collect only what you need to begin the customer relationship. Use progressive profiling to ask for more data as the need arises. 
• Don’t share or sell data without permission. Also, review your third-party contracts that govern data processing and security protocols. If you do sell data, know where it will go.
• Store the data securely. Use storage services that comply with the strictest security protocols. Also, audit your data practices. Limit access only to those people who have a business reason to use it and review your in-house security procedures.
• Delete the data when you don’t need it anymore. Data laws like CDPA, CCPA, and GDPR are direct responses to data breaches. Data breaches happen when we don’t handle, share, sell, store, or secure it properly. Collecting unnecessary data and keeping it around when you don’t need it just increases your exposure to a breach. 

Besides causing personal damage, a breach can erode trust and equity in your brand. Some big brands, like Target, can survive a data breach. Smaller ones are far more vulnerable.

What’s next after the Consumer Data Protection Act (CDPA)?

California and Virginia are in the headlines because they are the first states to enact sweeping consumer data protection laws. But they won’t be the last. At least 15 states have legislation in various stages.

You can track this legislation with an interactive map maintained by IAPP, the International Association of Privacy Professionals. The map lists legislation status in a color-coded map of all 50 states and includes side-by-side comparisons and state-by-state status updates. 

As more states focus on consumer data protection laws, the need for a national standard becomes ever clearer. Proposed state bills have many different, and sometimes competing, variations. These variations make compliance a headache for national or international companies. 

A federal law that would set national standards is in the works. Congressional Democrats and Republicans have drafted initial bills, but action on the bill isn’t expected until later in 2022 or in 2023, given other legislative priorities.

Shift Paradigm can help!

If you need guidance, feel free to contact Shift Paradigm compliance experts. Although we don’t offer legal advice, we have worked with numerous clients in training and advocacy for years, and we are very involved in industry privacy and security organizations. We would love to help you be sure you are charting the right course to manage customer data protection and retain their trust and loyalty.