Science & Technology

Virginia Introduces Consumer Data Protection Act

On March 2, 2021, Virginia Governor Northam signed the following US Privacy Bill: Virginia Consumer Data Protection Act (CDPA), effective January 1, 2023, offers a variety of new rights to residents of Old Minion. Like the California Consumer Privacy Act (CCPA), CDPA has clear thresholds. Companies are eligible as long as they process the personal data of 100,000 Virginia residents annually, or 25,000 Virginia residents if more than 50% of their total income. It comes from the sale of personal data.

If either threshold is met, the entity needs to extend the scope of the new individual’s rights to the customer.

  • The right to understand whether personal data about them is being processed. This includes a wide range of notification requirements.
  • Access to all processed personal data.
  • The right to correct incorrect personal data.
  • Right to delete personal data;
  • Right to data portability. Ideally, you should provide your personal data in a ready-to-use format, making it easy to move to another data controller.
  • The right to opt out of the sale of personal data and the processing of personal data used for targeted advertising and profiling.

Exercise of individual rights is free and can be done up to twice a year. The company will respond within 45 days and may extend this deadline by another 45 days if more time is required. In this case, you need to provide the reason for the delay. If the request cannot be met, it must be rejected for good reason. Individuals must always ensure that they can prove their identity in order not to provide personal data to unauthorized persons.

CDPA has clearly removed the leaves from the EU General Data Protection Regulation (GDPR) books by providing a set of data protection principles that companies that process personal data need to respect. For example, companies are processing personal data as “Appropriate, relevant and reasonably necessary with respect to the purpose for which such data is processed.It will not be further processed for incompatible purposes. further,”Reasonable management, technical, and physical data security practicesIs being implemented. CDPA is Washington privacy bill (WPA) also introduces an EU-inspired distinction between managers and processors, including the obligation to enter into data processing contracts that regulate all data processing on behalf of data managers. This is the first US privacy law enacted.

Not all of these data protection principles are included in the privacy laws of other US jurisdictions. The principle of restriction of purpose is not included in CCPA, for example, but was introduced by the new California Privacy Rights Act (CPRA) and will continue to apply in 2023. When it comes to data security, both California’s privacy laws are more restrictive, only associating specific data security requirements with the need to avoid data breaches.

Another notable provision of CPDA requires opt-in consent for the processing of sensitive personal data. This includes all the data.Reveal racial or ethnic origin, religious beliefs, mental or physical health checks, sexual orientation, or citizenship or immigration status, And genetic or biometric data to uniquely identify individual accurate geopositional data and data from known children.

Finally, CDPA sells personal data, processes sensitive personal data, for profiling and targeted advertising purposes, and “Increased risk of harm to consumers,A standard similar to the GDPR’s obligation to carry out a Data Protection Impact Assessment (DPIA). It should be noted that data administrators can weigh the benefits of processors against the risks of their processing to individuals. This is similar to what you see in the WPA draft, which has been discussed three times in a row by the Washington State Capitol Building. There are no specific provisions in CCPA or CPRA that require specific data protection or privacy assessments to be performed at the same time.

The Attorney General of Virginia has exclusive authority over the enforcement of the CDPA. They may bring a civil investigation to any administrator or processor and impose a fine of up to $ 7,500 for each breach. The same cap applies to damages payable by a company that violates the CDPA. Unlike CCPA, CDPA does not recognize the right to private conduct and offers the possibility for individuals to sue companies for infringement of their right to privacy.

As mentioned above, Virginia CDPA will be effective from January 1, 2023, which is the same date that CPRA takes effect. If adopted, WPA will also apply as of this date. This means that companies that meet application thresholds in both states will have to comply with several new rules from that date. Some of these rules are coordinated between the two jurisdictions, but not all. More specific data protection requirements may be enforced in the same region as more states resume discussions on the introduction of broader privacy laws across the United States, especially in Washington, Minnesota, New York, Oklahoma, and Utah. The sex is increasing. time frame.

TrustArc continually tracks the development of privacy laws at the US state level and in countries around the world. The results are available to subscribers. Nimity Research, And some of the intelligence systems and engines that support us Privacy management platform.. If you want to understand how TrustArc can help your business comply with privacy requirements across multiple jurisdictions. Free demo..

Virginia Introduces Consumer Data Protection Act Virginia Introduces Consumer Data Protection Act

Back to top button