Support Centre

Virginia: Assessment requirements under the CDPA

Virginia's new Consumer Data Protection Act ('CDPA') borrows many terms and concepts from the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). One of these concepts is the Privacy Impact Assessment ('PIA'), sometimes referred to as the Data Protection Impact Assessment ('DPIA'). The CDPA calls its version a Data Protection Assessment, however, the acronym 'DPA' means something entirely different in the GDPR, and to many privacy experts, so within this article the CDPA Data Protection Assessment shall be referred to as an 'Assessment.' John Pilch, Cybersecurity/Privacy Analyst at Woods Roger PLC, describes the required content of an Assessment, the situations in which an Assessment is required, disclosure requirements and protections related to an Assessment, and a few important miscellaneous points.

Tim Pennington / Essentials collection / istockphoto.com

As the GDPR is the most well-known and widely-discussed privacy law in the world, this article attempts to compare and contrast the CDPA against the GDPR in relation to the concept of Assessments. At the outset, however, it is important to note that the scope of the CDPA is narrower than that of the GDPR, as the CDPA does not cover personal data in a commercial (i.e., B2B) or employment context.

Content of the Assessment

As with the GDPR, the core of the Assessment under the CDPA is a risk/benefit analysis of the processing activity. The controller must identify and weigh the following:

Image

The controller must also factor into the assessment the:

  • context of processing;
  • relationship between the controller and the consumer whose personal data will be processed;
  • reasonable expectations of consumers; and
  • use of de-identified data.

Although not stated directly, the expectation is that the controller will apply additional safeguards if needed to achieve the necessary balance, or will decide not to perform the processing activity. The required content of an Assessment, and the actions to be taken, are very similar to that of a PIA/DPIA under the GDPR.

Situations requiring an Assessment

The CDPA requires each controller to conduct an Assessment of each of the following processing activities:

  • the processing of personal data for purposes of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of:
    • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • financial, physical, or reputational injury to consumers;
    • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
    • other substantial injury to consumers;
  • the processing of sensitive data; and
  • any processing activities involving personal data that present a heightened risk of harm to consumers.
  • Targeted advertising

    The CDPA defines this term as 'displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests.'

    This definition seems to cover advertising based on profiling, which is identified as high risk processing under the GDPR and would therefore require a PIA/DPIA. The second part of the definition, listing activities not considered to be 'targeted advertising,' provides more clarity. 'Targeted advertising' does not include:

    • advertisements based on activities within a controller's own websites or online applications;
    • advertisements based on the context of a consumer's current search query, visit to a website, or online application;
    • advertisements directed to a consumer in response to the consumer's request for information or feedback; or
    • personal data processed solely for measuring or reporting advertising performance, reach, or frequency.

    These exclusions show that the CDPA is focused on the risks posed by large-scale, web-centered advertising providers, not on advertising in general.

    Sale of personal data

    The CDPA defines this term as 'the exchange of personal data for monetary consideration by the controller to a third party.' This is very straightforward, and the exclusions are minimal. 'Sale of personal data' does not include disclosure to:

    • a processor that processes the personal data on behalf of the controller;
    • a third party for purposes of providing a product or service requested by the consumer;
    • an affiliate of the controller;
    • a third party as an asset that is part of a merger, acquisition, bankruptcy, etc.; or
    • anyone, if the consumer intentionally made the personal data available to the general public via a channel of mass media and did not restrict it to a specific audience.

    Interestingly, the CDPA did not include 'share' or 'sharing' in the definition, so some large scale disclosures of personal information may not be covered by an Assessment.

    Profiling

    The CDPA defines this as 'any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.' This definition is nearly identical to that used in the GDPR, but the CDPA requires an Assessment only if there is a reasonably foreseeable risk of:

    • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • financial, physical, or reputational injury to consumers;
    • physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
    • other substantial injury to consumers.

    The CDPA considers that some profiling is not high risk. If a controller were to assert that their profiling processes were not high risk, however, the documented analysis supporting that assertion would probably be nearly as detailed as an Assessment. It seems likely that the best use of time would be to complete an Assessment of all profiling processes.

    Processing sensitive information

    The CDPA defines this information as a category of personal data that includes:

    • personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
    • the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
    • the personal data collected from a known child (i.e., under 13 years of age); or
    • precise geolocation data (i.e., within 1,750 feet).

    This definition is very similar to that in the GDPR, although the GDPR requires a PIA only if the volume of sensitive data is large.

    Other

    The last category covers 'any processing activities involving personal data that present a heightened risk of harm to consumers.' The presence of this category encourages controllers to think about their processes deeply. Some risks may be substantial, but do not fit into the categories described above.

    Required and protected disclosures

    Under the CDPA, the regulator or relevant authority is the Virginia's Attorney General ('AG'). The AG may require a controller to disclose any Assessment relevant to a specific civil investigation. The AG may then evaluate the Assessment for compliance with the CDPA requirements. This is similar to the situation under the GDPR, but the CDPA provides significant protections to the controller. First, Assessments are exempt from public inspection and copying under Virginia's Freedom of Information Act. Also, the disclosure of an Assessment to the AG does not remove protections that exist under the attorney-client privilege or work product doctrines. These protections encourage controllers to perform detailed and honest Assessments, as they reduce the possibility of the documents being used against them in future judicial proceedings.

    Miscellaneous important points

    The CDPA includes these miscellaneous points:

    • An Assessment can cover more than one processing activity, as long as the activities are similar. This is similar to the approach under the GDPR, and will reduce the burden on controllers.
    • A controller may substitute an existing PIA, DPIA, or similar document for an Assessment if the scope and effect are similar. This will reduce the burden on controllers subject to multiple data privacy regimes.
    • Assessments are required for processing activities created or generated after 1 January 2023 and are not retroactive. This will reduce the burden on controllers, although it is not clear whether an Assessment becomes required if there is a substantial change to one of these 'grandfathered' processes.

    Conclusion

    The CDPA adopts many terms and concepts from the GDPR, and Assessments are a good example. The intent and requirements of the Assessments are similar to those of the GDPR PIA/DPIAs. As pointed out in this article, the CDPA is a bit more business-friendly than the GDPR, but there are still 20 months before it comes into effect. Some changes may be made before 1 January 2023.

    John Pilch Cybersecurity/Privacy Analyst
    [email protected]
    Woods Roger PLC, Richmond