In March 2021, Virginia signed into law comprehensive privacy legislation known as the Consumer Data Protection Act (CDPA). The law will go into effect in 2023, giving Virginia residents six rights:
- Right to access the personal data businesses have collected about them
- Right to correct any errors in the personal data available on them
- Right to delete personal data businesses have obtained about them
- Right to data portability by asking for a copy of their data in a readily usable format
- Right to opt out of having their data sold or used for targeted advertising
- Right to appeal any business that fails to respond to a their request within 45 days
Notably, CDPA is more business-friendly than other privacy regulations; however, it’s still important for organizations to take the time to understand exactly what’s required under this new law and how to prepare accordingly.
Who Must Follow CDPA Guidelines?
CDPA applies to businesses that process personal data of Virginia residents, regardless of where the organization itself is located. However, unlike legislation like GDPR that applies to all businesses full-stop, not all organizations are subject to CDPA. The Virginia law only applies to businesses that either:
- Control or process personal data of more than 100,000 Virginia consumers in a calendar year
- Control or process personal data of more than 25,000 Virginia consumers and at least 50% of their gross revenue comes from selling personal data
Additionally, CDPA has a number of notable exceptions to these requirements:
- It does not apply to employee data. The law defines “consumer” as a resident acting in an “individual or household context” and continues that it does not apply to anyone acting in a “commercial or employment context.” This means businesses that collect employee data do not need to consider that under CDPA.
- It allows for some instances of selling data. Any sale of data that shares information with processors, a third party to deliver a product or service requested by the consumer, or affiliates are allowed under CDPA. Cases of sharing data that consumers have made publicly available or sharing data in the course of a merger or acquisition are also allowed.
- It marks certain types of organizations as exempt. State government, non-profit, and higher education organizations as well as organizations subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA) are exempt from CDPA.
What Happens When a CDPA Violation Occurs?
The Virginia Attorney General is responsible for enforcing CDPA and can fine organizations up to $7,500 per violation. All fines will go to the Consumer Privacy Fund, which will fund future enforcements.
When a violation occurs, the Attorney General must notify the organization in question that an investigation is imminent. The organization will then have 30 days to remedy the situation and respond with a written statement that they have fixed the situation and that it won’t occur again. If this fix holds, the organization will not be subject to a fine, but if the violation continues or occurs again (or if the organization fails to respond), then the Attorney General can issue a fine.
What Type of Incident Response Does CDPA Require?
Under CDPA, companies must introduce “reasonable administrative, technical, and physical data security practices” as well as data protection assessments to cover processing activities. It’s up to each organization to determine exactly what this means though, and they will be the ones who need to defend their practices if a violation occurs.
Unlike similar privacy laws, such as those in California and the EU, CDPA does not actually provide any guidance for businesses about notifying affected individuals or relevant enforcement agencies. Instead, the response requirements come from different, older state laws, which define a privacy incident as any situation in which unencrypted or unredacted personal information was accessed or acquired by an unauthorized party, or any situation that might lead to identity theft or any other kind of fraud. They outline the following incident response requirements:
Who to notify if a privacy incident occurs
At the very minimum, organizations must notify any affected individual and the state Attorney General if any kind of privacy incident occurs. Depending on the nature of the incident, they might also have additional notification requirements as follows:
- If more than 1,000 individuals are affected, organizations must also notify all consumer reporting agencies that maintain files of individuals nationwide about the timing, distribution, and content of the notice.
- If medical information is involved, organizations must notify the subject of that information and any affected residents (if they are not the same person). In these cases, they must also notify the Commissioner of Health.
- If the organization maintains any personal information that it does not own (e.g. in the case of a processor), they must notify the owner (aka the controller) of that data.
When to issue a privacy incident notification
While organizations do not have a specific timeframe in which they must issue the notification, they are required to do so “without unreasonable delay.” However, an organization can “reasonably” delay this notice if they do so to spend time evaluating the scope of the incident and restoring integrity to affected systems. The burden falls on organizations to determine exactly what this means from a timing standpoint.
How to issue a privacy incident notification
Organizations can issue a privacy incident notification in the mail, on the telephone or electronically. In any format, the notice should describe the following:
- The general incident
- The type of information involved
- What actions the organization is taking to protect the information from future incidents
- A phone number the affected individual can use to get more information or assistance, if one exists
- Advice that affected individuals stay vigilant, for example by regularly monitoring account statements and credit reports
If the organization demonstrates that the cost of the notice will exceed $50,000, if more than 100,000 Virginia residents are affected, or if the organization doesn’t have sufficient contact information to provide notice to each individual, then they can issue a substitute notice. This substitute notice must include all of the following:
- Emails to any affected individuals for which the organization has that type of contact information
- A conspicuous notice posted on the organization’s website (assuming it has a website)
- Notice to major statewide media
Finally, the law does allow organizations to maintain their own notification procedures for Virginia residents as long as they comply with the timing requirements of “without unreasonable delay.”
What’s Considered a Privacy Incident Under CDPA That Requires Notification?
CDPA does not just limit privacy incidents to security breaches. Rather, privacy incidents are a much broader category that can include everything from a denial of service or other kind of destructive attack to a privacy error like a lost employee laptop or processing data without consent. A few examples of incidents that can lead to companies issuing a notice include:
1) Phishing
An employee falling victim to a phishing attack in which they mistakenly expose sensitive data (such as passwords that can give unauthorized parties access to the company’s consumer data) can also present issues under CDPA. Once that type of information gets exposed, organizations must assume that these third parties can access any type of information within their systems.
2) Improperly Shared Data
Improperly sharing data qualifies as a privacy incident that requires notification under CDPA. This might include sharing data with partners after consumers have opted out, sharing sensitive data over unencrypted channels, or even responding to a consumer’s request to access data and accidentally sharing someone else’s information. Regardless of whether or not it was an honest mistake, improperly sharing data in any of these ways violates CDPA.
3) Nation-State Attack
A nation-state attack is a cyber attack backed by a country’s government, and these types of attacks have increased tremendously over the past several years as a way to gain access to intellectual property and strategic insight into other sensitive information. This type of attack can expose consumers’ sensitive information and put them at risk, creating a privacy incident that requires a response.
How Can Organizations Prepare for CDPA?
CDPA requires organizations to implement appropriate security procedures to protect against any kind of incident. That said, experiencing some kind of incident is inevitable in today’s environment. As a result, organizations must be prepared to respond quickly and appropriately when something happens.
Part of this preparation is laying the groundwork to properly identify when something does occur, for example by ensuring visibility into how data gets collected and used. The other part of this preparation is having plans in place to jump into action and take the necessary remediation steps, which includes establishing a team who is responsible for security protocols and incident response.
Along the way, organizations should account for three phases of incident response:
- Readiness: Having a clear incident response plan in place that allows a team to jump into action at any time is essential. This readiness will help meet Virginia’s requirement of responding “without unreasonable delay” and can also help reduce the associated costs. A strong readiness plan requires:
- Understanding guidelines set forth in regulations and in contracts with customers and partners
- Developing incident response plans according to those guidelines
- Keeping up-to-date on changes to guidelines and adjusting plans as needed
- Response: When an incident does occur, teams need to be able to jump into response mode immediately. Confidently responding to an incident means teams must be able to:
- Identify what happened, what data was involved, and who was affected quickly and easily
- Immediately start looking for recovery opportunities, which is important given Virginia’s 30 day remediation window
- Quickly issue a notification with all of the required information to affected individuals
- Ongoing Management: Making incident response preparation an ongoing effort is essential to keeping protocols aligned with rapidly changing regulations, updated contracts with partners and customers, and even updates to system capabilities. This ongoing effort requires organizations to implement a centralized dashboard that can help:
- Stay organized about relevant updates around privacy regulations
- Keep reporting and monitoring information in a single source of truth
- Make incident response plans and responsibilities visible and accessible to key stakeholders
How Does Virginia’s CDPA Compare to California’s CCPA & CPRA?
Virginia and California have the most comprehensive privacy legislation in the US with the recent passage of CDPA in Virginia and CCPA and CPRA in California. While there’s a lot that’s similar between the laws in these states, there are also some notable differences. Understanding these distinctions will prove important as organizations think through how to prepare for each one.
Similarities Between CDPA and CCPA/CPRA
- Burden of data protection: Both CDPA and CCPA/CPRA place the burden of data protection on organizations. Specifically, both regulations require organizations to implement what they deem necessary to protect the personal information they collect and store on consumers.
- Right to access, correct, and delete: Both CDPA and CCPA/CPRA give consumers in their respective states the right to access the data organizations have collected about them by submitting a request, the right to correct any inaccuracies in that data, and the right to ask the company to delete their information.
- Opt out as the “default:” Both CDPA and CCPA/CPRA make opting out the “default” (versus GDPR which requires consumers to opt in). This means that organizations can continue to collect and use data on consumers until a consumer opts out. California’s laws do go further than Virginia’s in this regard though, as CCPA/CPRA require organizations to post a “Do not sell my personal information” link on their website, while CDPA does not have any similar requirements.
- Data minimization: Both CDPA and CCPA/CPRA account for data minimization, requiring organizations to only collect and retain data that’s “reasonably” necessary for business purposes. Virginia also requires organizations to disclose this information to consumers.
Differences Between CDPA and CCPA/CPRA
- Notification requirements: Whereas CCPA/CPRA outline very specific requirements for how organizations must issue a notification when a privacy incident occurs, CDPA does not include any such guidelines. Instead, incident response notifications in Virginia are governed by an older law.
- Dedicated enforcement agency: In California, the 2020 passage of CPRA introduced a dedicated enforcement agency for privacy incidents known as the California Privacy Protection Agency (CPRA). This agency is not only dedicated to enforcing privacy violations, but will also be self-funded from the fines it issues. In Virginia, enforcement sits with the state Attorney General (where it sat in California prior to CPRA passing); however, enforcing privacy violations is only one of many responsibilities the Attorney General holds.
- Option for private action: CCPA/CPRA give California residents the right to initiate private action against organizations that have violated privacy regulations in certain instances. This private action can occur in parallel to any kind of investigation by the new CPPA. Virginia residents do not have a right to private action, as only the state Attorney General can take action against any CDPA violations.
Why Proactive Incident Response Matters
Virginia’s CDPA is a strong example of what comprehensive privacy regulations will look like going forward. It’s one of the latest such regulations to pass and it certainly won’t be the last. As more and more governments (both within the US and worldwide) continue to think through consumer protections for a fully digital world, we can expect to see even more — and even more stringent — privacy regulations continue to crop up.
This reality makes it essential for any organization that processes data on Virginia residents (or, as trends suggest, any consumers) to pay close attention to regulations like CDPA to understand exactly what requirements they must meet. Especially given the fact that privacy incidents are now more a matter of “if” then “when,” organizations must be prepared to spring into action when something does occur.
Overall, proper preparation — including understanding what’s required by laws like CDPA, establishing a plan to respond based on that, and maintaining that plan as requirements change over time — is absolutely critical for any business. This preparation can help organizations quickly and confidently jump into incident response mode, which can lead to a faster recovery and reduce the overall impact of the incident.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!