What is CDPA
The Consumer Data Protection Act, or CDPA, is the privacy law of the state of Virginia that regulates how organizations can obtain, process, use, store and distribute personal information of Virginia residents.
Specifically, CDPA regulates the way personal information and sensitive personal information is collected and handled, the way consent is obtained, how geolocation data is collected, how data is sold, or how targeted advertising affects compliance. In addition to this, it grants your website visitors with a range of data access rights, similar to the ones granted by the GDPR or CCPA.
Last but not least, the CDPA is an opt-in law which means you must inform your website visitors of the data you are obtaining and processing, and you must collect explicit and affirmative consent from your website visitors in order to legally obtain that data. The CDPA law was approved on March 2nd, 2021, and it is set to come into effect as of January 1st, 2023.
What is Personal Information and what are other key definitions?
The CDPA offers several definitions that have to be taken into account in order to stay compliant.
For example, under the general concept of personal information, it includes biometric data, geolocation data, or sensitive data. As such, ‘biometric data’ which is any data data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual, but does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA; and ‘precise geolocation data’ means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet, but which does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
The law also offers definitions for ‘controller,’ the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information, or ‘processor,’ who is defined as a natural or legal entity that processes personal information on behalf of a controller.
The law sees a ‘child’ as any natural person younger than 13 years of age, and defines ‘personal data’ as any information that is linked or reasonably linkable to an identified or identifiable natural person, but which does not include de-identified data or publicly available information.
Last but not least, ‘sensitive data’ means a category of personal information that includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal information collected from a known child; or precise geolocation data.
Who has to comply with the CDPA?
Under the CDPA, for-profit organizations have to be compliant if they meet one of the following criteria:
- If you conduct business in Virginia or if your target audience includes residents of the state of Virginia; and
- If you control or process personal information of at least 100,000 consumers; or
- If you control or process personal information of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal information.
Unlike the CCPA, for example, the CDPA has no revenue threshold imposed, so businesses of all sizes can be in scope depending on their collection and processing of consumer data.
Who is excluded from CDPA compliance?
The CDPA does not apply to the following types of entities:
- Any body, authority, board, bureau, commission, district or government agency in Virginia, or any political subdivision located in the state;
- Financial institutions or data that is subject to Title V of the Gramm-Leach-Bliley Act;
- Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (P.L. 111-5);
- Nonprofit organizations;
- Higher education institutions.
How can I keep my organization CDPA compliant?
In order to be compliant with the CDPA, your organization should:
- Limit the collection of personal information to only that which is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer”;
- Limit the use of personal information, meaning do “not process personal information for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal information is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent”;
- Not process sensitive personal information without obtaining consent and in the case of sensitive personal information about children, follow COPPA’s rules;
- Implement technical safeguards for your website, meaning “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal information. Such data security practices shall be appropriate to the volume and nature of the personal information at issue”;
- Establish data protection assessments (“DPAs”), to determine any potential risks resulting from processing activities. There are no clear guidelines as to the frequency of the assessments or how long their results must be kept;
a) Similar to the GDPR, if there is an instance where personal information is processed by a data processor on behalf of a data controller, this can only be done following a data processing agreement which must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties”;
- The categories of personal information that will be collected;
- The purposes for collecting personal information;
- How your website visitors can exercise their data subject access rights, or appeal a controller’s decision in regards to a submitted request;
- The categories of personal information that are being shared with a third party, if any; and
- The categories of third parties with whom you share the personal information of your website visitor, if any.
What data access rights does CDPA grant?
The CDPA provides your website visitors with a series of data access rights, including:
- Right to access: your website visitors have a right to confirm whether or not you are processing their personal information and to access such personal information;
- Right to correct: they have the right to correct inaccuracies in their personal information, taking into account the nature of the personal information and the purposes of the processing of their personal information;
- Right to delete: self explanatory, they have the right to delete any personal information provided by or obtained about them.
- Right to data portability: your website visitors have the right to obtain a copy of their personal information that they previously provided to you in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the information to another controller without hindrance, where the processing is carried out by automated means;
- Do Not Sell my Personal Information / Opt Out: individuals have the right to opt out of the processing of their personal information for the purpose of targeted advertising, sale of personal information or profiling as regards advancing decisions which may have actual or similar legal effects over the individual.
- Finally, CDPA gives your website visitors the Right to appeal, meaning that if you refuse to respond to a data subject access request within the legal timeframe (45 days from the date of receiving the request) you are obliged to “establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable time after the consumer's receipt of the decision." If the appeal is also denied, you must inform the individual whose appeal you refused how they can file a complaint with the Attorney General.
How to address data subject access requests under CDPA?
You must reply to a data subject access request “without undue delay, but in all cases within 45 days of receipt of the request submitted.” You are allowed to extend this by another 45 days, “when reasonably necessary, taking into account the complexity and number of the consumer's requests” as long as you inform the person who submitted the request of the extension within the initial 45 days period, and you include the reason for the extension.
Before replying to a request, you must be able to authenticate said request. If you are unable to do so, you are not required to comply with the request and may request additional information “reasonably necessary to authenticate the consumer and the consumer's request.”
The information you provide in response to a request has to be “free of charge, up to twice annually per consumer.” However, the CDPA states that “if requests from a consumer are manifestly unfounded, excessive, or repetitive,”you may “charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request” but you are responsible with “demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.”
If an individual wishes to appeal your refusal to grant their request, you are required to establish a process for this to be possible. The appeal process has to be “conspicuously available and similar to the process for submitting requests to initiate action.”
Last but not least, within 60 days of receiving an appeal, you are required to inform the person who appealed your decision, in writing, of any action taken or not taken in connection with their appeal, along with a written explanation of the reasons for this. If their appeal is denied, you must provide them with “an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.”
Enforcement and penalties
The provisions of the CDPA are enforced by the state Attorney General.
Prior to taking any action against your business, the Attorney General will provide you with a 30 day written notice of the specific parts of this privacy law that you have violated. Generally, if within the 30 days you cure the violation(s) and provide an express written statement that these have been cured and that no further violations will occur, no action will be taken against you.
However, if you continue to violate any of the provisions of the CDPA following the cure period, or you breach an express written statement previously provided to the Attorney General, you are liable to be charged with a civil penalty of up to $7,500 for each violation. It is important to note that each “violation” could be each customer record under your control; penalties can therefore add up quickly.
Data Subject Rights - GDPR vs. CDPA
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- The Right to Access
- The Right to be Informed
- The Right to Correct
- The Right to Delete
- Right to data portability
- Right to Opt Out / Do Not Sell my Personal Information
- Right to appeal
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.