Jan. 1, 2023 – Put this date in your calendar and circle it in red. It’s the day the second major state law governing consumer data privacy and security goes into effect, and it will likely affect your company’s operations.
I’m talking about Virginia’s Consumer Data Protection Act – commonly referred to by its acronym CDPA, which sounds like two other major data laws, the CCPA (the California Consumer Privacy Act), and GDPR, the European Union’s General Data Protection Regulation.
If your company revamped its data policies to comply with GDPR, CCPA or both, you’re probably in a good position to comply with CDPA. If not, you now have 8.6 million more reasons (that’s Virginia’s estimated population as of 2020) to get your data processes, procedures and policies in order. Like CCPA and GDPR, Virginia’s CDPA has many implications for marketers.
In this post, I’ll present a general introduction to CDPA, how it compares with CCPA and GDPR, and what you need to do now to comply with these laws. Disclaimer: I will review these laws at a high level and am not offering legal advice. Please consult your legal team or attorneys who specialize in data security and compliance.
CDPA requires companies to get a consumer’s explicit opt-in to collect or process personal data and then regulates the collection, use, processing, storage and security of that data.
However, that doesn’t apply to email marketing, where CAN-SPAM’s requirement of a working opt-out remains the legal requirement.
CDPA focuses on how companies collect, use, protect, share and manage consumer data, making specific provisions for sensitive data like personally identifiable information.
It includes these categories:
CDPA doesn’t displace the numerous federal laws that already regulate sensitive and personal data collection, use, storage and management, including these:
The Virginia Office of the Attorney General is the leading prosecutorial office for investigating CDPA complaints. Only the Attorney General’s office can file complaints or take other actions.
Once a company has received an official complaint, it has 30 days to respond and correct problems. If the company doesn’t comply and is found to have violated the law, the penalty is $7,500 per violation.
Virginia residents (living in the state or maintaining resident status but living out of state) have these rights under the law:
Review your data now for geolocation, such as the IP address location your customers use when they browse your website or open and click on emails. Can you map that back to individuals?
If not, be conservative. Assume everyone in your list is from Virginia. Also, do what you can to identify location, whether by reviewing IP addresses, asking for location wherever you collect data.
CDPA borrows from both CCPA and GDPR, but its explicit opt-in for collecting and managing data comes directly from the EU law. Here are some other relevant comparisons:
From a data-management perspective, 2023 is not that far away. These should be among your first steps:
Review Trendline’s guidance for CCPA compliance: Bookmark and share Trendline’s 10-step checklist for complying with CCPA. This incredibly valuable checklist suggests several organizational changes, such as creating a cross-department steering committee that includes representatives from every department that touches consumer or customer data.
Reach out to data teams: It’s in your best interest to build and maintain good relations with your IT and data groups, as well as the companies that store and process your data.
As a marketer, you are focused on collecting and using your data for email, search, SEO and other applications. But if that data gets breached, your company could be in an even bigger world of trouble if it happens after CDPA goes into effect. Keep in mind that the $7,500 penalty is per violation, so depending on how many Virginians are in your database you could have quite the predicament on your hands.
Follow these four good data practices:
Beside causing personal damage, a breach can erode trust and equity in your brand. Some big brands, like Target, can survive a data breach. Smaller ones are far more vulnerable.
California and Virginia are in the headlines because they are the first states to enact sweeping consumer data protection laws. But they won’t be the last. At least 15 states have legislation in various stages.
You can track this legislation with an interactive map maintained by IAPP (the International Association of Privacy Professionals). The map lists legislation status in a color-coded map of all 50 states and includes side-by-side comparisons and state-by-state status updates.
As more states focus on consumer data protection laws, the need for a national standard is becoming ever clearer. Proposed state bills have many different, and sometimes competing, variations, which makes compliance a headache for national or international companies.
A federal law that would set national standards is in the works. Congressional Democrats and Republicans have drafted initial bills, but action on the bill isn’t expected until later in 2022 or in 2023 given other legislative priorities.
If you need guidance, feel free to contact Trendline compliance experts. Although we don’t offer legal advice, we have worked with numerous clients in training and advocacy for years and are very involved in industry privacy and security organizations. We would love to help you be sure you are charting the right course to safeguard your customers’ data and retain their trust and loyalty.