Data Security Win: Virginia is Second State in U.S. to Pass Data Protection Legislation

Data
Written By Fareeha Khan
Makpar_Blog Image - LinkedIn_data legislation post_2021.03.10.png

March 10, 2021

Virginia is now the second U.S state after California to officially enact a comprehensive privacy legislation, as Virginia Governor, Ralph Northam, signed the Virginia Consumer Data Protection Act (CDPA) last Tuesday. This law will be in effect from January 2023.

This is significant because data is an integral part of cybersecurity management. When a cyber breach happens, personal information is highly at risk. Government’s job is protect and serve citizens and in a post-cyber world, legislation such as this represents the next level of protections citizens need. People have an integral right to protecting their data.

What Does This Mean?

Th CDPA gives Virginia consumers:

  1. The Right to Know- Consumers will have a right to know if and how a business is collecting and processing their information.

  2. The Right to Access- Consumers will have a right to access their personal data and receive a copy of the information.

  3. The Right to Correct- Consumers will have a right to correct errors in the personal data collected by businesses.

  4. The Right to Opt-Out- Consumers will have the right to opt-out of data processing activities.

Businesses will now be required to get opt-in consent before collecting or processing consumers’ sensitive data. They will also be required to conduct “Data Protection Assessments” on a regular basis. Additionally, there is a $7,500 per violation fine for lawbreakers.

The CDPA applies to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth.” The bill avoids imposing obligations on small businesses and non-profits. Businesses that are affected by this act include:

  • Organizations that control or process the personal data of at least 100,000 Virginia residents, or

  • Organizations that control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data

  • Virginia’s CDPA applies to business that “control or process” personal data. It defines personal data as information that includes:

  • Reveals racial, ethnic, religious, mental, or physical details.

  • Sexual orientation or immigration status/citizenship

  • Genetic/ biometric data

  • Personal data of a child

  • Precise geological data (residential address)

Who is Excluded?

The CDPA defines the consumer as “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.” This definition excludes sole proprietors running businesses in Virginia whose businesses do not run on collecting consumers’ personal information. Other businesses that are excluded from this mandate include businesses that are already subject to Federal privacy legislation, non-profits, and institutions of Higher Education.

New Principles:

The new law imposes several principles recognized as best practices for the management of consumer data privacy.

  1. Businesses are obligated to post a privacy notice outlining the purpose to collect and process of personal data. They must also disclose third party vendors, if any, while including details on how to opt-out of third-party data collection and processing and advertising.

  2. They are obligated to minimize data collection and use it only when it is necessary for the disclosed purposes. Companies must keep only data that is useful for current business purposes, with full disclosure of the purposes of personal data to its consumers.

  3. They are obliged to maintain technical, administrative, and physical data security practices.

  4. They are compelled to undergo a formal “data protection assessment” to verify the data collection and processing activities. The assessment will evaluate data that is used for profiling and advertising.  It will also review data that is sold and data that is a “heightened risk of harm to consumers.”

  5. They are required to obtain a consent from the consumer before collecting sensitive data.

Businesses must develop processes to meet the requirements outlines by the bill. Businesses that are affected by the mandate have 45 days to respond to consumer requests. Each consumer is entitled to 2 free enquiries per year, after which the business may charge a fee to cover administrative costs. The business is obligated to provide a written explanation if it cannot fulfill the request so consumers may contact the Attorney General to submit a complaint.

Why Is This Important?

The CDPA is an important milestone as it attempts to develop a framework for data processing and protection. Consumers can finally ease the burden of not having to secure their own privacy as far as businesses are concerned.

Keeping data secure is an important concern, for us, at Makpar. Data breaches can affect a whole organization and its stakeholders. To address breaches efficiently, organizations should adapt their workflow by combining cybersecurity and data protection and implementing an integrated risk assessment. Makpar has implemented significant data protection efforts within the IRS to protect the personal identifying information (PII) of all taxpayers, IRS employees, and contractors. Protecting the identity of Americans is at the top of our priority list.

Fareeha Khan
Previous

The Fed Mission Success Round Up: COVID-19 Matters, Emerging Tech, and Digital Equity
Next

The Fed Mission Success Round Up: DoD projects, GSA News and Federal Modernization