As discussed in an earlier post, California was the first state to enact a comprehensive state privacy law. Now, a second state has signed into law a wide–ranging privacy act similar to the California Consumer Privacy Act (CCPA). On March 2, 2021, the Virginia Consumer Data Protection Act (VCDPA) became law.  Several other states are poised to pass similar legislation this year. Let’s review Virginia’s CDPA and how an organization can be proactive in this rapidly changing environment (ensuring compliance).

What is the Virginia Consumer Data Protection Act (VCDPA)?

Generally, the most important consideration when a new law is passed is: Does it apply to my organization? VCDPA will most likely apply to for-profit and business-to-business companies interacting with Virginia residents, or processing personal data of Virginia residents on a relatively large scale. More specifically, this law compels certain obligations on entities that conduct business in Virginia or produce products and services that are targeted to Virginia residents, during a calendar year, which either:

• Control or process data of at least 100,000 consumers, or
• Control or process data of at least 25,000 consumers and derive 50 percent of gross revenue from the sale of personal data.

How is Personal Data and Sensitive Information Defined

The statute broadly defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person[,]” and to exclude “de-identified data or publicly available information.” It defines “sensitive information” as data that includes:

• “Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
• The personal data collected from a known child; or
• Precise geolocation data.”

Key Data Privacy Business Obligations Required Under the VCDPA

As indicated above, VCDPA generally applies to any for-profit and business-to-business company interacting with Virginia residents, or those processing personal data of Virginia residents on a relatively large scale. When the law becomes effective on January 1, 2023, these companies will be required to comply with the following:

1. Businesses are limited on the collection and use of data and will be required to implement certain technical safeguards. Specifically, businesses must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect confidentiality, integrity, and accessibility of personal data” (S.B. 1392 § 59.1-574(A)(3).
2. Controllers must conduct formal “data protection assessments” for certain types of data that they collect.  There is no prescription, however, for how frequently the assessments need to be conducted.
3. A contract between a controller and processor must be created to govern the processor’s data processing procedures (and outlining the controller’s instructions, the nature and purpose of processing, and the obligations of each party, and duties of confidentiality).
4. Businesses that process “sensitive data” will be required to obtain consumer consent for such processing.

In the absence of federal comprehensive regulation, states are moving forward with their own data privacy legislation. The U.S. is at the proverbial tip of the data privacy iceberg, as more states are actively considering various forms of data privacy legislation.  As of March 2021, there were approximately 12 states with active bills related to data privacy in state legislatures. So far the two states (California and Virginia) have diverging approaches to enforcing compliance with these laws; and regardless of the enforcement mechanism and associated fines, businesses large and small should address information privacy proactively. It is incumbent upon an organization to take the following measures.

How Should Companies Prepare for these New Data Privacy Regulations?

Experts recommend beginning by taking the following immediate steps to ensure compliance with privacy regulations:

• Conduct an audit of all PII that is collected, stored, distributed, or shared; and identify all parties who have access to the data, and describe how it is currently being used.
• Identify all information subject to specific privacy or security obligations.
• Develop, implement, and update information privacy and data security policies, practices, and procedures
• Evaluate data retention policies;
• Identify all vendors and service providers that collect, store, process, or distribute PII on their behalf.
• Assess data networking operations to determine the applicable international, federal, and state privacy requirements and expectations.
• Implement a mechanism for allowing consumers to request data correction; and
• Update the “Do Not Sell” mechanism to either include a second “Limit the Use of my Sensitive Personal Information” button, or bundle both mechanisms under one button.

Additionally, an organization should adhere to the following best practices when preparing for new state privacy regulations:

• Approach data privacy universally. Consider data privacy as a holistic risk management issue for the organization.
• Map your data. Understand what you have, who owns it, who has access to it, where it’s stored, and where it is shared – both inside and outside of the organization.
• Ensure your service providers and other data stakeholders have robust data policies and procedures that meet your standards. Are these data privacy requirements are documented in your service level agreements?
• Review and update your practices regularly. What you collect and what you do with what you collect changes more often than you might think.
• Conduct ongoing training programs for staff on security, privacy threats, and data protection best practices

In addition to implementing the above measures, an organization should assess its data privacy risk. A privacy risk assessment produces the information that can help an organization compare the benefits of its data processing with the risks to determine the appropriate response. Some of the measures above, such as auditing PII and identifying parties who have access to this data, could be part of the assessment.

Some organizations have risk assessment tools and resources that can be leveraged to assess an enterprise’s privacy risk.  The National Institute of Standards and Technology offers the Privacy Risk Assessment Model (PRAM) and the International Association of Privacy Professionals has various resources tools and “tracker” resources to monitor data privacy regulations and litigation.

Since data privacy should be approached from a universal perspective we recommend that an organization conduct an information governance (IG) program assessment. An IG program assessment measures program maturity across risk management, privacy compliance, records and information management, technology systems, and business objectives.  More on this topic in a future blog.

Need Help Getting Started?

Cadence Group’s experienced team of information governance consultants can assist your organization with navigating the tricky world of privacy regulations and get you on the road to compliance.  Our service offerings include:

• Information Governance Program Assessment (including maturity modeling)
• Records and Information Management Policy and Procedure Development
• Records Retention Scheduling (including privacy compliance)
• Information repository mapping and data cleanup
• Program audits

For more information, contact us or visit www.cadence-group.com.

Follow us on Twitter @CadenceGroup and LinkedIn for updates and other Cadence Group news.