Virginia: CDPA requirements and vendors
Virginia's new Consumer Data Protection Act ('CDPA') borrows many terms and concepts from the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). One important concept is that privacy requirements must apply anywhere personal data goes in the supply chain. If an organisation could rid itself of all privacy obligations by outsourcing the work to another entity, one not required to follow privacy laws, then the system would fall apart. The CDPA does not allow this to happen. John Pilch, Cybersecurity/Privacy Analyst at Woods Roger PLC, walks us through the relevant definitions, requirements, and business protections, pointing out important aspects of the privacy ecosystem developed by the CDPA, with the focus on processors and the controller-processor relationship. Requirements applicable only to controllers are not covered in this article.
The CDPA uses several terms familiar to those who work with the GDPR, including:
- 'Controller' means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data. The CDPA points out that classification as 'controller' or 'processor' is a fact-based determination. Claiming to be a 'controller' or 'processor' is irrelevant if the entity performs the role of the other.
- 'Processor' means a natural or legal entity that processes personal data on behalf of a controller.
- 'Third party' means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.
- 'Process' or 'processing' means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
Processor's direct responsibilities
The CDPA requires processors to obey the instructions of the controller. This does not mean that the controller must document and explain every step of the process. It simply means that the processor cannot process the data for their own purposes. The data does not belong to them, and they have no rights to the data independent of their processor role.
The CDPA also requires processors to help their controller in:
- responding to consumer rights requests;
- maintaining security around personal data;
- providing appropriate notification in the case of a security breach; and
- conducting and documenting Data Protection Assessments.
The level of support, timing, and other details may be different from one controller-processor pair to another. The important point is that all relevant members of the supply chain must work together to protect the personal data of Virginia consumers. These requirements are quite similar between the CDPA and the GDPR.
Processor's contractual responsibilities
In addition to the requirements above, the CDPA requires controllers to establish a contractual relationship with their processors. The form of the contract is not specified, but many companies find the master agreement/work order arrangement provides the best combination of broad boilerplate language and nimble, actionable directions.
The contract must provide not only instructions for processing the data but also a description of the nature and purpose of processing, the type of data to be processed, the duration of processing, and the rights and obligations of both parties. It is important that the controller and the processor share expectations and develop a common view of the relevant processing.
Of course, the contract must be binding upon both the controller and the processor.
Additional processor requirements to be addressed in the contract include:
- ensuring that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- deleting or returning all personal data to the controller at the end of the contract;
- demonstrating compliance with all CDPA and contractual requirements;
- allowing, and cooperating with, reasonable audits, assessments, and other reviews by the controller or designated assessor;
- engaging subcontracted processors only through written contracts that require the subcontractor to meet the same standards as the processor with respect to the personal data; and
- committing not to attempt re-identification of any de-identified data, and taking reasonable measures to prevent such re-identification.
Again, these requirements are similar between the CDPA and the GDPR.
The CDPA copied many things from the GDPR, but is much friendlier to businesses. There is no private right of action under the CDPA, for example, and it does not apply in an employment context. When it comes to the supply chain, the CDPA protects businesses in the following circumstances:
'Guilt by association:'
- Business A (a controller or processor), when disclosing personal data to Business B, is not in violation of the CDPA simply because Business B has violated the CDPA, provided that, at the time of disclosing the personal data, Business A did not have actual knowledge that Business B intended to commit a violation.
- Business A, receiving personal data from Business B in compliance with the CDPA, is not in violation of the CDPA based upon violations committed by Business B.
- CDPA versus privilege:
- The obligations imposed on a business (controller or processor) under the CDPA do not apply if they would force the business to violate an evidentiary privilege rule. Disclosure of information is the activity protected by privilege, so the practical impact is that the CDPA cannot be used as a weapon to force companies to disclose personal data by claiming that the CDPA overrides privilege.
- Note that the CDPA specifically affirms the precedence of privilege, stating 'Nothing in [CDPA] shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of [Virginia] as part of a privileged communication.'
- Acceptable use – the CDPA allows businesses to collect, process, and store personal data to:
- conduct internal research to develop, improve, or repair products, services, or technology;
- recall a product;
- find and fix technical issues that impair functionality; or
- perform internal operations that are reasonably aligned, anticipated, or compatible with the expectations of the consumer.
- No restrictions – the CDPA does not restrict the ability of a business to:
- protect the life or physical safety of a natural person;
- provide a product or service specifically requested by a consumer, including those covered by a contract with the consumer;
- ensure the security of its IT assets;
- protect itself from legal claims;
- comply with other laws, rules, or regulations;
- comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons;
- cooperate with law-enforcement agencies;
- engage in scientific or statistical research in the public interest, under certain circumstances; or
- assist another controller, processor, or third party with its CDPA obligations.
Overall, the CDPA balances the need to protect the personal data of Virginia consumers with the need to protect Virginia businesses from unintended consequences. Taking a pragmatic approach, the CDPA nearly clones the GDPR's vision of the privacy ecosystem, making each level of the supply chain accountable to the level above it. The CDPA then addresses specific business concerns clearly and directly. This balance seems most appropriate for Virginia and, perhaps, the US.
John Pilch Cybersecurity/Privacy Analyst
Woods Roger PLC, Richmond