GDPR. CCPA. CPRA. And now… CDPA? Data privacy law acronym bingo lives another day.
Virginia this month passed the Consumer Data Protection Act (CDPA). The bill grants consumer rights to access, correct, delete and obtain a copy of personal data and to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data or profiling of the consumer. It marks the fourth comprehensive state consumer data privacy legislation in the United States, joining California, Maine and Nevada.
The bill becomes effective Jan. 1, 2023. Turns out that’s the start of a big year for marketers because the California Privacy Rights Act (CPRA), which extends provisions of the California Consumer Privacy Act (CCPA), becomes fully operative that day.
No Time To Upend Privacy Programs
Is it time for marketers and those charged with collecting and managing customer and prospect data to start upending their programs because Virginia getting into the mix? Not quite, says digital policy expert Kristina Podnar. Of course, that's presuming you're already on top of things.
However, in terms of differences with other existing state and other major privacy laws, there’s nothing “revolutionary” about Virginia’s CDPA, according to Podnar. “As a controller in Virginia I have 45 days to respond (to a consumer request) versus in the EU I have 30. To me I don’t think that makes or breaks it for a marketer. I still have to respond,” Podnar said, illustrating one of the subtle differences in Virginia’s privacy act vs. the European Union’s GDPR passed in 2018. “I still have to have a process in place. I still have my controller. I still have my processor. I still have to get my permissions. I still have my data categories. I still have my third parties that I have to actually be very clear about who I'm sharing the data with. I still have to be able to provide the privacy notice. Are there differences between Virginia, Maine, Nevada and California? Yes... But if you already have been on this journey for GDPR and for CCPA you'll be fine, or you'll be like 95% there.”
To Whom Does This Law Apply
Podnar's certainly not suggesting to turn a blind eye toward Old Dominion's law. The first step is knowing to whom it applies.
The CDPA applies to businesses that target Virginia residents and that in any calendar year:
- Control or process personal data of at least 100,000 consumers
- Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. The gross revenue is defined as monetary consideration rather than the broader valuable consideration found in CCPA, which is important for businesses that have sponsors of webinars or white papers and don’t outright sell the data, according to Podnar.
The Virginia bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law.
Related Article: What Marketers Need to Know About the California Privacy Rights Act
Key Dates To Know for Virginia
Virginia Governor Ralph Northam signed CDPA into law March 2. But it’s likely going to be reshaped, just like CCPA was by the CPRA last year.
The Virginia CDPA law directs the Joint Commission on Technology and Science to establish a work group to review the provisions and issues related to its implementation, and to report on its findings by Nov. 1, 2021. Podnar’s message here is marketers are in a bit of a waiting period through November likely. “You still have to wait a little bit to see where the really big differences are going to be, and I know this is sort of frustrating,” Podnar said. “There are two waiting periods with Virginia — there's one through November, and then there's the secondary period which is once this makes its way into the court system and what are the rulings going to be.”
The bill has an effective date of Jan. 1, 2023.
What Rights Do Virginia Consumers Have?
Here’s what a consumer has a right to request of a brand that is on the hook for the Virginia CDPA:
- Confirm whether or not a controller is processing their personal data and to access such personal data
- Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.
- Delete personal data
- Obtain a copy of their personal data that the consumer previously provided to the controller in a usable format that allows the consumer to transmit the data to another controller
- Opt out of the processing of personal data for purposes of:
- Targeted advertising
- Sale of personal data
- Profiling in decisions that produce legal or similarly significant effects concerning the consumer
Related Article: What Marketers Need to Know About CCPA ... Before It's Too Late
What Virginia Says About Targeted Ads
Stacey Gray, senior counsel for the Future of Privacy Forum, found the targeted-advertising opt-out provision of the Virginia privacy law interesting when compared to California’s CCPA. Virginia’s pseudonymous data opt-outs for sale, targeted ads and certain profiling covers a broad range of identifiers used in digital marketing; e.g., cookie IDs, mobile advertisement IDs.
“The inclusion of ‘targeted ads’ and ‘profiling’ make the opt-outs in Virginia broader, in one sense, than CCPA, but many of the definitions are narrower,” Gray said. “From a business sense it probably makes sense to level up and consider how to implement an opt-out that addresses all behavioral marketing-related sharing of data, unless it can be narrowly cabined in as short-term/transient contextual advertising, or measurement and attribution within the meanings of both laws."
In Virginia, “targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests (hello there, cookies.)
"Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Think of 'Core Privacy Principles'
The established and recently-proposed privacy regulations have more in common than not, said Tyrone Jeffress, vice president of engineering and U.S. information security officer at Mobiquity. “It’s best for organizations to adapt business processes around core privacy principles — the right to informed consent, the right to correct, right to opt out — while building workflows, templates or checklists that can be tailored for each state," Jeffress said.
Timelines for responding to consumer privacy requests and providing consumer notifications (as Podnar noted earlier) likely will be the key areas where the regulations will vary from state to state, according to Jeffress. A method for identifying applicable reporting requirements and tracking adherence by location will be critical.
“Marketers should make sure they are in touch with their organizations’ central data protection or privacy officer or office with respect to the new regulations,” Jeffress said. "Performing a new Data Protection Impact Assessment — a common requirement in many of the privacy regulations — will help to identify both current gaps with new regulations and new privacy risks that must be assessed and managed."
Related Article: 2 Years Later: How Has GDPR Affected Your Marketing?
Heavy Price for Noncompliance
Robert Prigge, CEO of Jumio, reminds marketers about the fines for noncompliance in the Virginia privacy law: up to $7,500 per violation. That’s a high cost for an individual’s privacy.
“Marketers need to recognize the critical importance of customer data privacy and understand consumer rights under the new law, including the right to opt out of having their data collected and sold, the right to view what data companies have collected about them and the right to correct or delete that data,” Prigge said. “Ahead of the January 1, 2023 effective date, marketers must be prepared to facilitate secure rights requests and have the capabilities in place to allow users to opt out of having their data collected to uphold the new rights of Virginia consumers and avoid non-compliance penalties."
Since these rights requests contain personal data, Prigge added marketers must have a reliable way to confirm the consumer making the rights request is the real user and not a cybercriminal acting as the user with stolen/exposed data.
His advice on how to cope with an assortment of state data privacy laws — especially in the absence of an American federal consumer data privacy law like GDPR did for Europe? “Marketers need to ensure they are complying with the strictest of consumer privacy laws that apply to them, so that their data handling procedures can be compatible and compliant with other states and less-strict regulations,” Prigge said.
Trending Toward GDPR?
Sanam Saabar, general counsel at Iterable, said that while the CCPA has been referred to in the past as GPDR-lite, marketers will begin to see a trend of closer alignment with GDPR when it comes to future state data privacy laws.
Virginia’s CDPA, she said, appears to "one-up the CCPA" by more closely mirroring GDPR.
“We will likely see this trend continue because states don’t want to be left out,” Saabar said. “Legislators want to show that they value protecting their consumers, but this potential domino effect of patchwork legislation proves that there is a big appetite for federal legislation to be passed in the near future.”