This Week in Privacy: 8 March 2021
March 08, 2021
Virginia: Governor signs CDPA into law
Virginia became the latest State to pass a comprehensive privacy law, following the Governor's signature of the Consumer Data Protection Act into law.
The CDPA will enter into force on 1 January 2023 and provides consumers with several rights, including:
- the right to opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling;
- the right to confirm if their data is being processed;
- the right to amend inaccuracies;
- the right to data deletion; and
- the right to data portability.
The CDPA mandates several obligations for data controllers, including:
- providing consumers with a privacy notice;
- establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
- conducting and documenting data protection assessments; and
- contractual requirements in engaging data processors.
OneTrust DataGuidance hosted a reactionary webinar examining the CDPA which you can watch on demand here.
You can also access our CDPA Portal here.
USA: Washington, Florida and Rhode Island progress further bills
Elsewhere in the US, there were privacy bill developments in other States including Washington, Florida, and Rhode Island.
In Washington, the bill for the Washington Privacy Act (SB 5062) passed the State Senate, after being introduced for the third time earlier this year. In Florida, a new Senate Bill, 1734, was introduced in the Florida State Senate which would also create data subject rights for consumers; create new obligations for businesses in relation to sharing personal information; and establish a private right of action against a business who violates any of the provisions. If passed, SB 1734 would take effect on 1 July 2021.
In Rhode Island, House Bill 5959 for the Rhode Island Transparency and Privacy Protection Act was introduced to the House of Representatives. HB 5959 seeks to help consumers identify information collected by online service providers and commercial websites and which is then shared or sold to third parties.
As ever, you can stay up to date on state bills as they move through their legislative process through our State Law Tracker.
Bermuda: PrivCom recognises APEC CBPR system for data transfers
The Office of the Privacy Commissioner for Bermuda announced that it recognised the APEC Cross Border Privacy Rules system as a certification mechanism that can be utilised for overseas data transfers under the Personal Information Protection Act.
In particular, PrivCom highlighted that its recognition of the certification mechanism provides organisations with certainty in their operations and the data transfers that must occur in the course ordinary business, along with a standardised, predictable mechanism to access markets and overseas third parties in Asia-Pacific economies, including the United States and Canada.
PrivCom also noted that organisations should ensure that the CBPR certification is a material part of their agreements with overseas third parties.