Have you ever wondered where your data really goes when you send it to the cloud? If you followed the bits, there is a good chance that you would find your scientific research, shopping carts, and personal emails on a hard drive in the world’s largest data depot, inside northern Virginia’s Data Center Alley.
As the U.S. capital, Washington, D.C. is a logical place to base your business because the U.S. has been at the center of geopolitics, world finance, and technological development since World War II. In the early 1990s, America Online was based in northern Virginia, and in 2025, Amazon will open its new $2.5 billion headquarters there too. Every day, an astonishing 70% of the world’s Internet traffic passes through Virginia.
What is the Consumer Data Protection Act?
Given its status as home to much of the world’s data, the pressure is on Virginia to master information technology (IT) management and law. On February 4, 2021, the Virginia legislature passed the Consumer Data Protection Act (SB 1392), which establishes a framework for controlling and processing personal data. CDPA seeks to protect the “consumer,” defined as a “natural person” residing in Virginia, in an individual or household context. The law applies to “all persons that conduct business” in Virginia if they 1) control or process the personal data of at least 100,000 consumers, or 2) control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
How the CDPA Compares to CPRA
CDPA is similar to the California Privacy Rights Act (CPRA) and the European Union General Data Protection Regulation (GDPR), in that it requires data controllers to undertake “data minimization,” publicly disclose what personal data they collect, and how they collect it. All three provide individuals with numerous digital data rights. One area where CDPA goes further than California’s bill is with its opt-out provision. Consumers may opt-out not only from the sale of their data, but also from targeted advertising and profiling. This is strong language, and it may be difficult for some companies to remain in compliance. However, it is important to note that CDPA does not grant consumers a private right of action; enforcement is solely in the hands of Virginia’s Attorney General.
Preparing for CDPA: The Details
Now let’s examine the text of CDPA, which details the “responsibilities and privacy protection standards for data controllers and processors.” It grants natural persons “consumer rights to access, correct, delete, [or] obtain a copy of personal data.” The law will come into force on January 1, 2023, but you cannot wait until then to prepare for it, because your new to-do list is quite long.
Personal Data Defined
What is personal data? The CDPA defines it as any information (or a device) that is “reasonably linkable” to an identifiable “natural person.” There are two prominent exemptions: “publicly available” information, which can either be government records or information that is lawfully and widely distributed by the consumer; and “de-identified” data, which require “reasonable measures” to ensure it cannot be associated with a natural person (this includes public statements and contractual obligations). Further, there is a higher category of “sensitive data” to be aware of, which encompasses racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, and immigration status. It includes genetic and biometric data, information about family members, and “precise” geolocation (to a radius of 1,750 feet).
Attention Data Controllers
The bar for data controllers has been raised substantially. First, a data controller must limit the collection of personal data to what is “adequate, relevant, and reasonably necessary.” Second, they must establish, implement, and maintain the administrative, technical, and physical data security practices that are required to protect the confidentiality, integrity, and accessibility of the data they possess. Third, a data controller must conduct and document a data protection assessment for each of the following personal data processing activities: sale, targeted advertising, profiling, sensitive data, and anything that could present a heightened risk of harm to consumers.
Personal data “processing” is defined as any operation, manual or automated, to include its collection, use, storage, disclosure, analysis, deletion, or modification. Outsourcing does not diminish these requirements in any way. Any data processor must assist the data’s controller in meeting every legal obligation, with a duty of confidentiality. A processor must provide the controller with all information necessary to demonstrate compliance, and be prepared at the controller’s direction to delete and/or return all data. Processors must also allow, and cooperate with, assessments to review policies and measures, and provide a report on their findings.
One area of particular concern for CDPA, which sets it apart from CPRA and GDPR, is the right of a consumer to opt out of profiling. Profiling refers to any form of personal data processing designed to evaluate, analyze, or predict an identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. The danger of profiling, according to CDPA, is a “reasonably foreseeable risk” of unfair treatment, injury, or intrusion.
Consumers are specifically given the right to opt out of targeted advertising, as well as the sale of personal data, for profiling purposes. Targeted advertising is defined as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time. An advertiser may only use personal data collected within a data controller’s own websites or online applications, or within the context of a current search query, website visit, or a response to a specific consumer request.
Data controllers are required to communicate all of the above with a clear, accessible, and meaningful privacy notice describing what data they are processing, for what purpose, and whether it is shared with third parties. They must enumerate a consumer’s digital rights. Finally, a data controller must establish one or more “secure and reliable” means for a consumer to make a data request (without requiring the creation of a new account), and respond to every consumer request within 45 days, free of charge, up to twice annually.
If the Virginia Attorney General initiates a legal action against a data controller for a CDPA violation, the business may receive a 30 days’ written notice to “cure” the violation. The business will then have to provide a written statement explaining that the violations have been cured and that no further violations will occur. Otherwise, the state may seek damages for up to $7,500 per violation. And you may have already guessed it, but CDPA strictures do not apply to state or local government, and there are exceptions for the federal government.
Virginia is the latest state to pass consumer privacy legislation, but it will not be the last, especially as the U.S. does not have a comprehensive federal data privacy law. Florida,Minnesota, New York, Oklahoma, and Washington are on the verge of adopting similar laws. It is worth noting that, even in this partisan political age, the CDPA unanimously passed Virginia’s Senate, and it should soon go to the Governor’s desk for signature. So keep your eyes open, as the confluence of IT evolution and data security threats will ensure that regulations, standards, guidelines, best practices, and legal action will not slow down anytime soon.