To see the original publication of this article visit CMS Wire.
GDPR. CCPA. CPRA. And now… CDPA? Data privacy law acronym bingo lives another day.
Virginia this month passed the Consumer Data Protection Act (CDPA). The bill grants consumer rights to access, correct, delete and obtain a copy of personal data and to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data or profiling of the consumer. It marks the fourth comprehensive state consumer data privacy legislation in the United States, joining California, Maine and Nevada.
The bill becomes effective Jan. 1, 2023. Turns out that’s the start of a big year for marketers because the California Privacy Rights Act (CPRA), which extends provisions of the California Consumer Privacy Act (CCPA), becomes fully operative that day.
No Time To Upend Privacy Programs
Is it time for marketers and those charged with collecting and managing customer and prospect data to start upending their programs because Virginia getting into the mix? Not quite, says digital policy expert Kristina Podnar. Of course, that's presuming you're already on top of things.
However, in terms of differences with other existing state and other major privacy laws, there’s nothing “revolutionary” about Virginia’s CDPA, according to Podnar. “As a controller in Virginia I have 45 days to respond (to a consumer request) versus in the EU I have 30. To me I don’t think that makes or breaks it for a marketer. I still have to respond,” Podnar said, illustrating one of the subtle differences in Virginia’s privacy act vs. the European Union’s GDPR passed in 2018. “I still have to have a process in place. I still have my controller. I still have my processor. I still have to get my permissions. I still have my data categories. I still have my third parties that I have to actually be very clear about who I'm sharing the data with. I still have to be able to provide the privacy notice. Are there differences between Virginia, Maine, Nevada and California? Yes... But if you already have been on this journey for GDPR and for CCPA you'll be fine, or you'll be like 95% there.”
To Whom Does This Law Apply
Podnar's certainly not suggesting to turn a blind eye toward Old Dominion's law. The first step is knowing to whom it applies.
The CDPA applies to businesses that target Virginia residents and that in any calendar year:
OR
The Virginia bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law.
Key Dates To Know for Virginia
Virginia Governor Ralph Northam signed CDPA into law March 2. But it’s likely going to be reshaped, just like CCPA was by the CPRA last year.
The Virginia CDPA law directs the Joint Commission on Technology and Science to establish a work group to review the provisions and issues related to its implementation, and to report on its findings by Nov. 1, 2021. Podnar’s message here is marketers are in a bit of a waiting period through November likely. “You still have to wait a little bit to see where the really big differences are going to be, and I know this is sort of frustrating,” Podnar said. “There are two waiting periods with Virginia — there's one through November, and then there's the secondary period which is once this makes its way into the court system and what are the rulings going to be.”
The bill has an effective date of Jan. 1, 2023.
What Rights Do Virginia Consumers Have?
Here’s what a consumer has a right to request of a brand that is on the hook for the Virginia CDPA:
What Virginia Says About Targeted Ads
Stacey Gray, senior counsel for the Future of Privacy Forum, found the targeted-advertising opt-out provision of the Virginia privacy law interesting when compared to California’s CCPA. Virginia’s pseudonymous data opt-outs for sale, targeted ads and certain profiling covers a broad range of identifiers used in digital marketing; e.g., cookie IDs, mobile advertisement IDs.
“The inclusion of ‘targeted ads’ and ‘profiling’ make the opt-outs in Virginia broader, in one sense, than CCPA, but many of the definitions are narrower,” Gray said. “From a business sense it probably makes sense to level up and consider how to implement an opt-out that addresses all behavioral marketing-related sharing of data, unless it can be narrowly cabined in as short-term/transient contextual advertising, or measurement and attribution within the meanings of both laws."
In Virginia, “targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests (hello there, cookies.)
"Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Think of 'Core Privacy Principles'
The established and recently-proposed privacy regulations have more in common than not, said Tyrone Jeffrees, vice president of engineering and U.S. information security officer at Mobiquity. “It’s best for organizations to adapt business processes around core privacy principles — the right to informed consent, the right to correct, right to opt out — while building workflows, templates or checklists that can be tailored for each state," Jeffrees said.
Timelines for responding to consumer privacy requests and providing consumer notifications (as Podnar noted earlier) likely will be the key areas where the regulations will vary from state to state, according to Jeffrees. A method for identifying applicable reporting requirements and tracking adherence by location will be critical.
Leave your details below and we'll be in touch soon.
.png "Consumer Data Protection Blog Header (1)")
