Prepare for the CDPA: East Coast Meets West Coast as Virginia Signs Privacy Law

The state of Virginia recently voted to become the first state on the East Coast to enact a law governing how companies protect consumers’ personal data. The new law comes as tech giants face pushback from lawmakers and consumers over their handling of personal information.

The Virginia Consumer Data Protection Act (CDPA) bill was signed into law on 2 March 2021 and will go into effect in 2023.

Similar to the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), and even Europe’s GDPR, the CDPA is the latest development in what has been a watershed year for privacy legislation in the United States.

But businesses who’ve worked on compliance with the other laws shouldn’t rest on their laurels. They still need to prepare for the CDPA, which has different provisions from those of the CCPA or the CPRA.

In this article, we take a look at these distinct provisions of the Virginia Act and compare them to the CCPA (as amended by the CPRA) and the GDPR.

Watch this video for more information on the differences between EU and US privacy laws and which privacy standards should be considered when performing A/B testing.

Businesses that have worked on achieving compliance with the CCPA or GDPR will find that these laws have a lot of similar verbiage and terminology; however, it is a mistake to assume that the Virginia law has identical requirements.

While there are similarities to the CCPA and GDPR, the CDPA contains nuances that are likely to be unique to each organization.

If you’re getting overwhelmed reading this, check out the step-by-step instructions we’ve laid out below to help tackle compliance with the new privacy law.

FIrst, have the lawyers, IT professionals, and privacy specialists within your organization assess the law’s application to your business. Then, identify any gaps and develop a compliance plan that includes solutions for these issues.

Let’s go into further detail, shall we?

To achieve compliance with the CDPA, you need to:

1. Create and maintain a comprehensive data inventory, providing insight into both the types of data involved and the nature of processing activities.
2. Ensure that sensitive data is segregated and managed without unnecessary risks.
3. Implement a framework for conducting Data Protection Impact Assessments (DPIA).
4. Assess the cybersecurity policies, practices, and controls in place to ensure they are consistent with industry-recognized standards.
5. Enable consumers to opt-out of the sale of their personal information (where applicable).
6. Update public-facing privacy policies to, among other changes, pledge not to re-identify de-identified personal data and provide details on its data processing activities.
7. Develop mechanisms for accepting, tracking, verifying, and honoring consumer requests to access, correct, delete, and opt-out personal data under the CDPA.
8. Ensure that your customer service employees have accurate knowledge of the regulations to satisfy consumer requests efficiently and predictably.

Finally, while 2023 may seem a distant future, don’t postpone building your compliance plan.

If other recent privacy laws taught us anything, it’s that these initiatives require extensive efforts and time to carefully plan, spot gaps in your privacy mechanisms, and implement new policies, processes, and remediation efforts.

It is not too early to start CDPA compliance efforts as more states, such as New York and Washington, begin to enact consumer privacy protection laws.

Privacy legislation is on the move – check out our updated map, with changes in New Jersey, New York, Colorado and Texas: https://t.co/89nO6APxdx pic.twitter.com/oS7vWX8Bjt

— IAPP (@PrivacyPros) March 24, 2021

As more state legislatures become active in passing consumer privacy protection bills or laws, one thing becomes clear: ensuring customer privacy can no longer be an afterthought. It must be baked into your business model.