It started with the passage of the European Union’s General Data Protection Regulation, which became effective May 25, 2018. This was followed by California’s passage of the California Consumer Privacy Act (CCPA), which took effect on Jan. 1, 2020. Now both Virginia and Colorado have followed suit with Virginia’s Consumer Data Protection Act (CDPA) signed into law on March 2, 2021, and Colorado’s Privacy Act (CPA) signed into law on July 8, 2021.
While only three of the 50 states have adopted comprehensive data privacy laws to date, many states are considering such legislation and it is anticipated that more states will move forward with implementing such legislation. Click here for information on states’ activities with respect to comprehensive data privacy legislation. As a result, it is critical for companies to review their data privacy policies to ensure compliance with applicable laws.
Summary of CDPA key provisions
The CDPA applies to any party that conducts business in Virginia or produces products or services that are targeted to residents of Virginia, and that: (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. The act specifically exempts financial institutions subject to Title V of the federal Gramm-Leach-Bliley Act from the scope of the law, such as covered entities and business associates governed by HIPAA, nonprofit organizations and institutions of higher education.
The CDPA gives consumers the following rights with respect to their data:
1. To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data;
2. To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
3. To delete personal data provided by or obtained about the consumer;
4. To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
5. To opt out of the processing of the personal data for purposes of: (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Entities subject to the CDPA must give consumers a reasonably accessible, clear and meaningful privacy notice that includes the following:
1. The categories of personal data processed by the controller;
2. The purpose for processing personal data;
3. How consumers may exercise their consumer rights under the CDPA, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
4. The categories of personal data that the controller shares with third parties, if any; and
5. The categories of third parties, if any, with whom the controller shares personal data.
The CDPA becomes effective Jan. 1, 2023. In light of this upcoming date, businesses should review their business practices to determine whether they will be subject to the CDPA. If so, these businesses will need to confirm their privacy policies and privacy practices meet the requirements of the CDPA. We will provide similar guidance on the Colorado Privacy Act (CPA) in an upcoming newsletter.
Client alert authored by Kimberly T. Boike (312 855 6418), Principal and leader of the Healthcare and Not for Profit & Mission-Based Organizations groups.
This Chuhak & Tecson, P.C. communication is intended only to provide information regarding developments in the law and information of general interest. It is not intended to constitute advice regarding legal problems and should not be relied upon as such.