Virginia: CDPA requirements for data controllers
Virginia's Consumer Data Protection Act ('CDPA'), which takes effect from 1 January 2023, is both brief and direct. Controllers, defined in the CDPA as 'the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data', play a central role in protecting consumer data. John Pilch, Cybersecurity/Privacy Analyst at Woods Rogers, describes the obligations of controllers under the CDPA, including adherence to basic principles, providing notices to consumers, enabling the exercise of consumer rights, establishing appropriate contracts with processors, and preparing data protection assessments.
Applying definitions and basic principles
The CDPA begins with a number of definitions. Several of these are important to controllers, as they set the boundaries of controller obligations:
- Consumer - a natural person who is a resident of Virginia acting only in an individual or household context. The definition does not include natural persons acting in a commercial (i.e. business to business) or employment context (including applicants, employees, emergency contacts, and beneficiaries), nor does it include dead persons.
- Personal data - any information that is linked or reasonably linkable to an identified or identifiable natural person. The definition does not include de-identified data or publicly available information, nor does it include data protected by other laws (For example, the Health Insurance Portability and Accountability Act of 1996 ('HIPPA'), The Gramm-Leach-Bliley Act of 1999 ('GLBA'), etc).
- Process (or processing) - any manual or automated operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification.
The CDPA also contains a list of basic principles that apply to controllers. It indicates that controllers must:
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer ('data minimisation');
- not process personal data unnecessarily, nor for purposes incompatible with those disclosed to the consumer, or without the consumer's consent ('purpose limitation');
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
- not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers; and
- not process sensitive data concerning a consumer without obtaining the consumer's consent.
Some of these principles will seem familiar, as they are similar to those in the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), California's privacy laws, and other privacy laws around the world. Controllers may want to discuss these principles internally and with counsel. The 'purpose limitation' and 'data minimisation' principles in particular are quite new to the U.S., and their implementation may have a substantial impact on the marketing and sales operations of some companies.
Providing notice to consumers
Under the CDPA, controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- the categories of personal data processed by the controller;
- the purpose for processing the personal data;
- how consumers may exercise their rights, including one or more secure and reliable ways for consumers to submit a request, and how a consumer may appeal the controller's decision if there is disagreement about the request;
- the categories of personal data that the controller shares with third parties, if any; and
- the categories of third parties, if any, with whom the controller shares personal data.
If the controller sells personal data to third parties or processes personal data for targeted advertising, the controller must inform consumers of this, along with a way for consumers to opt-out. It is probably best to make this disclosure through the privacy notice.
It is important to note that the CDPA does not specify when or how the notice must be delivered, only that it be reasonably accessible. This flexibility is important, as the controller could simply post the notice on its website, for example. Unlike some other privacy regulations, the CDPA does not require controllers to provide the notice at the time and place of data collection.
It is also important to note that, although not specifically required by the CDPA, controllers will need to create and maintain an inventory of the personal data they process in order to provide an accurate notice. This inventory does not need to be large and complicated; an Excel file would be sufficient for most controllers, as the information needed is at a category level. The CDPA does not specify how broad the categories of personal data may be, but categories like 'contact information', 'transaction information', and 'interests and preferences' seems to strike the right balance.
Enabling the exercise of consumer rights
Consumer rights are a big part of most privacy laws around the world, and the CDPA is no different. Virginia consumers have the right:
- to confirm whether or not a controller is processing their personal data and to access such personal data;
- to correct inaccuracies in the consumer's personal data;
- to require controllers to delete the consumer's personal data;
- to obtain a copy of the consumer's personal data in a readily usable and transferable format (applies only to personal data previously provided to the controller by the consumer); and
- to opt out of the sale of their personal data, and the use of their personal data for targeted advertising or profiling.
As indicated in the section on notice, the controller must provide a means for consumers to exercise these rights. The controller must authenticate requests before complying with them.
The controller must respond to authenticated requests without undue delay, but in all cases within 45 days of receipt of the request. The response period may be extended once by 45 additional days if necessary, as long as the controller informs the consumer of the extension and the reason for the extension. If the controller decides not to take action regarding the consumer's request, they must still respond within the same time limits, must state their justification for declining to take action, and must provide instructions for appealing the decision.
The controller must establish an appeals process that is conspicuously available and similar to the process for submitting the original requests. Controllers should include senior management and counsel in their appeals process, given the possible consequences. Within 60 days of receipt of an appeal, the controller must inform the consumer, in writing, of any action taken or not taken in response to the appeal, and must provide a written justification for the decision. If the appeal is denied, the controller must also provide the consumer with instructions for submitting a complaint to the Attorney General.
The controller must provide requested information to the consumer free of charge, up to twice annually per consumer. The controller may charge a reasonable administrative fee if the request is 'manifestly unfounded, excessive, or repetitive', or may simply decline to act on the request.
Dealing with consumer rights requests can be difficult, and controllers should not underestimate this. Treating each request as an opportunity to provide bespoke service will lead to an overloaded process. Controllers should identify likely types of requests, identify the systems and data involved, and prepare automated reports to help find the personal information of specific individuals. Controllers may also want to provide consumer self-service options, where feasible. Finally, controllers may want to pursue automation of the front end of the process (collecting requests, authenticating requests, distributing assignments within the organisation, monitoring the remaining time to respond, maintaining documentation, etc.).
Establishing appropriate contracts with processors
Many controllers outsource all or a portion of the processing of personal data. Under the CDPA, a written contract between the controller and the processor is required. The contract must be binding and must clearly state instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must require the processor to:
- ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- delete or return (it is up to the controller to choose one of the two options) all personal data at the end of the contract;
- make available to the controller all information needed to demonstrate compliance with their obligations;
- provide, or allow the controller to arrange for, an assessment of the processor's policies and technical and organisational controls by a qualified and independent assessor; and
- engage subcontractors only through written contracts that impose the same privacy obligations on the subcontractor as those committed to by the processor.
These requirements are similar to those in many privacy laws around the world. Processors with operations outside the US are likely to be both familiar with these requirements and prepared to meet them.
Preparing data protection assessments
The CDPA has its own version of the Privacy Impact Assessment/Data Protection Impact Assessment (PIA/DPIA), a concept promoted most successfully by the GDPR. Controllers must prepare one of these two 'data protection assessments' for activities involving:
- targeted advertising;
- sale of personal data;
- sensitive data; and
- any processing of personal data that presents a heightened risk of harm to consumers.
Data protection assessments must identify and weigh the benefits to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer, mitigated by controls deployed by the controller. The controller should also take into account the reasonable expectations of consumers, the context of the activities, and the relationship between the controller and the consumer.
One data protection assessment may cover several related processing activities, and assessments conducted by a controller to comply with other laws or regulations may meet CDPA requirements if the assessments have a reasonably comparable scope and effect.
Unlike many privacy laws, the CDPA requires data protection assessments only for processing activities created or generated after 1 January 2023. The requirement is not retroactive, so there is no need to conduct assessments for existing activities. It is necessary, however, for controllers to put in place processes to identify new operations and activities that may require assessments.
One last word
The Virginia Legislature will consider amendments to the CDPA in early 2022. The topics likely to be addressed by amendments are known (See Insight Article 'Virginia: The CDPA Work Group's final recommendations'1), and those amendments are unlikely to make substantial changes to the obligations of controllers. As that is the case, controllers would be well-advised to start early in developing and implementing their plan to comply with the CDPA.
John Pilch Cybersecurity/Privacy Analyst
Woods Rogers PLC, Richmond
1. Available at: https://www.dataguidance.com/opinion/virginia-cdpa-work-groups-final-recommendations