California and Europe were front-runners with privacy regulations, with CalOPPA in 2003, Europe’s General Data Protection Regulation (GDPR) in May 2018, and the California Consumer Privacy Act (CCPA) in January 2020.
As predicted, other states are starting to follow suit, and the newest arrival on the scene is Virginia with the Consumer Data Protection Act (CDPA), signed into law on March 2, 2021. You can read the full text of the law here.
Does the Consumer Data Protection Act (CDPA) apply to your organization?
The CDPA applies to businesses that operate in Virginia or target Virginia residents with services or projects AND
control or process the personal data of 100,000 customers in a year
control or process the personal date of 25,000 customers and derive 50% of your revenue from the sale of personal data.
If your business or organization doesn’t process data from 100,000 customers in a year, you are not subject to the CDPA.
What rights do consumers have under CDPA?
As with the GDPR or CCPA, the CDPA provides consumers with several rights: the right to access their information, the right to correct their information, the right to delete their information or to obtain a copy of it, and the right to opt out of having their data processed.
Where can I learn more about the Consumer Data Protection Act?
- Virginia’s New Consumer Data Protection Act (CDPA) – JDSupra
- Virginia passes the Consumer Data Protection Act – IAPP
My organization is not subject to CDPA, so what does this mean for me?
CalOPPA, GDPR, CCPA, and now CDPA: whether your business or organization is subject to the regulations or not, these laws are likely the first of more to come. Consumers today want to know that companies take their customers’ privacy concerns seriously.
So even if you aren’t strictly subject to one of the regulations, we recommend you investigate the provisions of the various privacy laws and see what you can implement in your organization.
Here are some privacy recommendations:
- Make sure you only collect necessary data
- Inventory the data you collect, and know where you store it
- Know whether you are sharing data with third parties (your service providers, Google Analytics, etc), and how they are protecting it
- Remove user data you no longer require
- Use secure methods and locations to store the data
- Secure your organization’s computers with firewalls and regular virus scans
- Secure your website
- Don’t add users to newsletters unless they opt in
- Clean out your e-mail list periodically
- Consider whether your website will respect “do not track” signals
Even if your organization is not subject to these privacy laws, it’s important to show your visitors and customers that you respect their right to privacy.