Virginia’s Consumer Data Protection Act (CDPA) will also go into effect starting January 1, 2023. While it borrows heavily from California’s CPRA, we unpack the unique provisions your business needs to consider for privacy compliance in the Commonwealth.
This is the second article in Ethyca’s state privacy law series that will help your business prepare for the new state regulations coming into force in 2023. The next law we will unpack is Virginia’s Consumer Data Protection Act (CDPA, also called VCDPA). Like California’s CPRA, this law will go into effect on January 1, 2023.
Let’s take a closer look at the requirements of CDPA, and go over how your company can start preparing for compliance in the next couple of months.
Before overhauling your business’s current privacy program, determine whether your business even needs to worry about the privacy law in Virginia.
The Consumer Data Protection Act will apply to your business if it:
Based on these conditions, CDPA only applies to businesses that hold large quantities of consumer data. It’s less likely to apply to B2B businesses, and it does not apply to businesses that hold little personal data.
For companies that must comply with Virginia’s state privacy law, we’ll go over how you can start preparing for the new year.
Virginia’s Consumer Data Protection Act is the U.S.’s second state-level comprehensive modern consumer data privacy law. CDPA passed on March 2, 2021, and borrows heavily from the California Consumer Privacy Act (CCPA) – before the CPRA amendments were voted in.
As we mentioned in the first article of this series, preparing for California’s state privacy law will help your business get ready for other state privacy laws like CDPA. But, as our CEO Cillian Kieran has mentioned, it’s not a one-size-fits-all solution. Compliance with one state law does not guarantee compliance with another.
To make sure your business is CDPA-ready by next year, let’s go over the provisions of Virginia’s state privacy law.
(We know that privacy acronyms can be confusing, so feel free to bookmark our Data Privacy Acronyms List for your ease of reading).
Along with the rights to access, erasure, portability, and non-discriminatory practices established in CPRA, Virginians will also have the right to correct the information companies have on them, as well as appeal to businesses that have failed to process such requests.
By next year, consumers can request that businesses edit any incorrect data stored about them. Consumers will also be able to appeal to companies that have not processed their requests within the 45 days mandated under CDPA.
The CDPA also gives Virginians the right to opt out of certain data processing from businesses, such as the selling of their personal data. This provision aims to protect consumers from targeted advertising and user profiling.
Starting next January, businesses will be required to enter into data processing agreements (DPA) with data processors. These agreements will govern what data processors are allowed to do and not allowed to do with consumers’ data.
Based on CDPA’s standards, these agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”
CDPA will also require businesses to produce Data Protection Impact Assessments (DPIAs). These are assessments that analyze the privacy benefits and risks of processing activities on the business itself, consumers, and other related stakeholders.
Your company must produce and document a DPIA for data processing activities involving:
This provision means your business needs to know not only where data lies in its systems, but also how and why it’s there. Not having a specific reason for collecting and keeping data will make your company more vulnerable to privacy violations.
To ensure your business stays compliant with CDPA, make sure you’re collecting and processing data in ways that respect consumers’ rights.
Whether it’s Virginia’s or California’s state privacy law, Ethyca can empower your business to succeed in regulatory compliance.
First, Ethyca will be making a series of updates to the Consent Management experience to make sure your company complies with the new 2023 regulations. These updates will allow your business to classify your collected data under multiple data categories. With Ethyca’s Consent Management Platform, consumers will also have control over opting in or out of data processing activities. Additionally, your company will be able to store users’ consent preferences for reporting and auditing purposes.
With the Fides privacy engineering platform, your business will also be able to seamlessly orchestrate users’ privacy requests. You’ll also be able to create a dynamic data map, to identify and discover PII living across all systems in your business. This will enable your business to easily fulfill access, erasure, and correction requests from consumers. With full data discovery and visibility across different systems, you’ll be able to automate users’ requests, saving your team time, money, and effort in the new year. Fides’ Privacy as Code power is also a great foundation for building auditable processes around DPIA workflows in your organization.
As both CDPA and CPRA will be enacted on January 1, 2023, your business needs to make sure it prepares for these laws by the start of next year. It can be frustrating for a business to deal with the differences of state by state privacy laws. But these privacy regulations relate to each other in ways that make preparing a little easier.
Ethyca is also here to help you ensure your business is compliance-ready for any U.S. privacy law in any state.
Ethyca hosted its second P.x session with the Fides Slack Community earlier this week. Our Senior Software Engineer Thomas La Piana gave a live walkthrough of the open-source privacy engineering platform, Fides 2.0. He demonstrated how users can easily deploy Fides and go from 0 to full DSR automation in less than 15 minutes. If you weren’t able to attend, here are the three main points addressed during the session.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Get a Demo