Virginia’s Consumer Data Protection Act (CDPA) will also go into effect starting January 1, 2023. While it borrows heavily from California’s CPRA, we unpack the unique provisions your business needs to consider for privacy compliance in the Commonwealth.
This is the second article in Ethyca’s state privacy law series that will help your business prepare for the new state regulations coming into force in 2023. The next law we will unpack is Virginia’s Consumer Data Protection Act (CDPA, also called VCDPA). Like California’s CPRA, this law will go into effect on January 1, 2023.
Let’s take a closer look at the requirements of CDPA, and go over how your company can start preparing for compliance in the next couple of months.
Before overhauling your business’s current privacy program, determine whether your business even needs to worry about the privacy law in Virginia.
The Consumer Data Protection Act will apply to your business if it:
Based on these conditions, CDPA only applies to businesses that hold large quantities of consumer data. It’s less likely to apply to B2B businesses, and it does not apply to businesses that hold little personal data.
For companies that must comply with Virginia’s state privacy law, we’ll go over how you can start preparing for the new year.
Virginia’s Consumer Data Protection Act is the U.S.’s second state-level comprehensive modern consumer data privacy law. CDPA passed on March 2, 2021, and borrows heavily from the California Consumer Privacy Act (CCPA) – before the CPRA amendments were voted in.
As we mentioned in the first article of this series, preparing for California’s state privacy law will help your business get ready for other state privacy laws like CDPA. But, as our CEO Cillian Kieran has mentioned, it’s not a one-size-fits-all solution. Compliance with one state law does not guarantee compliance with another.
To make sure your business is CDPA-ready by next year, let’s go over the provisions of Virginia’s state privacy law.
(We know that privacy acronyms can be confusing, so feel free to bookmark our Data Privacy Acronyms List for your ease of reading).
Along with the rights to access, erasure, portability, and non-discriminatory practices established in CPRA, Virginians will also have the right to correct the information companies have on them, as well as appeal to businesses that have failed to process such requests.
By next year, consumers can request that businesses edit any incorrect data stored about them. Consumers will also be able to appeal to companies that have not processed their requests within the 45 days mandated under CDPA.
The CDPA also gives Virginians the right to opt out of certain data processing from businesses, such as the selling of their personal data. This provision aims to protect consumers from targeted advertising and user profiling.
Starting next January, businesses will be required to enter into data processing agreements (DPA) with data processors. These agreements will govern what data processors are allowed to do and not allowed to do with consumers’ data.
Based on CDPA’s standards, these agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”
CDPA will also require businesses to produce Data Protection Impact Assessments (DPIAs). These are assessments that analyze the privacy benefits and risks of processing activities on the business itself, consumers, and other related stakeholders.
Your company must produce and document a DPIA for data processing activities involving:
This provision means your business needs to know not only where data lies in its systems, but also how and why it’s there. Not having a specific reason for collecting and keeping data will make your company more vulnerable to privacy violations.
To ensure your business stays compliant with CDPA, make sure you’re collecting and processing data in ways that respect consumers’ rights.
Whether it’s Virginia’s or California’s state privacy law, Ethyca can empower your business to succeed in regulatory compliance.
First, Ethyca will be making a series of updates to the Consent Management experience to make sure your company complies with the new 2023 regulations. These updates will allow your business to classify your collected data under multiple data categories. With Ethyca’s Consent Management Platform, consumers will also have control over opting in or out of data processing activities. Additionally, your company will be able to store users’ consent preferences for reporting and auditing purposes.
With the Fides privacy engineering platform, your business will also be able to seamlessly orchestrate users’ privacy requests. You’ll also be able to create a dynamic data map, to identify and discover PII living across all systems in your business. This will enable your business to easily fulfill access, erasure, and correction requests from consumers. With full data discovery and visibility across different systems, you’ll be able to automate users’ requests, saving your team time, money, and effort in the new year. Fides’ Privacy as Code power is also a great foundation for building auditable processes around DPIA workflows in your organization.
As both CDPA and CPRA will be enacted on January 1, 2023, your business needs to make sure it prepares for these laws by the start of next year. It can be frustrating for a business to deal with the differences of state by state privacy laws. But these privacy regulations relate to each other in ways that make preparing a little easier.
Ethyca is also here to help you ensure your business is compliance-ready for any U.S. privacy law in any state.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo