Prepare for the CDPA: East Coast Meets West Coast as Virginia Signs Privacy Law

Dionysia Kontotasiou
By
April 21, 2021 ·
CDPA Privacy Law

The state of Virginia recently voted to become the first state on the East Coast to enact a law governing how companies protect consumers’ personal data. The new law comes as tech giants face pushback from lawmakers and consumers over their handling of personal information.

The Virginia Consumer Data Protection Act (CDPA) bill was signed into law on 2 March 2021 and will go into effect in 2023.

Similar to the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), and even Europe’s GDPR, the CDPA is the latest development in what has been a watershed year for privacy legislation in the United States.

But businesses who’ve worked on compliance with the other laws shouldn’t rest on their laurels. They still need to prepare for the CDPA, which has different provisions from those of the CCPA or the CPRA.

In this article, we take a look at these distinct provisions of the Virginia Act and compare them to the CCPA (as amended by the CPRA) and the GDPR.

Key Provisions Virginia CDPA
California
CCPA + CPRA
Europe GDPR
Ability to Process
Data Minimisation Yes No Yes
Permissible Purpose Yes No Yes
Individual Rights
Right to receive notice of processing activities Yes Yes Yes
Right to access personal data Yes Yes Yes
Right to data portability (i.e., data must be provided in a readily usable format, so it can be transferred from one entity/platform to another) Yes Yes Yes
Right to correct errors in personal data Yes No Yes
Right to delete personal data Yes Yes Yes
Right to opt-out of behavioral advertising Yes No Yes
Right to object to automated profiling and decision making Yes No Yes
Right to non-discrimination for the exercise of these rights Yes Yes Yes
Right to opt-out of sales of personal information Yes Yes No
Opt in or opt out for processing of sensitive information Opt-in Opt-out Opt-in
Right to appeal denial of requests Yes No No
Accountability/Governance
Data Protection Assessments Yes No Yes
Security
Appropriate Data Security to Safeguard Information Yes Yes Yes
Breach Notification Yes Yes Yes
Data Transfers Outside EEA
Additional measures for international transfers No No Yes
Transfers to Third Parties
Contractual Requirements in Service Provider Agreements Yes Yes Yes
Marketing
Consent for Adtech cookies Yes Yes Yes
Consent obtained prior to direct marketing No No Yes
Enforcement Agencies
Attorney General Attorney General, CPPA DPA
Operative date
1 January 2023 1 January 2020 / 1 January 2023 25 May 2018

Watch this video for more information on the differences between EU and US privacy laws and which privacy standards should be considered when performing A/B testing.

Businesses that have worked on achieving compliance with the CCPA or GDPR will find that these laws have a lot of similar verbiage and terminology; however, it is a mistake to assume that the Virginia law has identical requirements.

While there are similarities to the CCPA and GDPR, the CDPA contains nuances that are likely to be unique to each organization.

If you’re getting overwhelmed reading this, check out the step-by-step instructions we’ve laid out below to help tackle compliance with the new privacy law.

FIrst, have the lawyers, IT professionals, and privacy specialists within your organization assess the law’s application to your business. Then, identify any gaps and develop a compliance plan that includes solutions for these issues.

Let’s go into further detail, shall we?

To achieve compliance with the CDPA, you need to:

  1. Create and maintain a comprehensive data inventory, providing insight into both the types of data involved and the nature of processing activities.
  2. Ensure that sensitive data is segregated and managed without unnecessary risks.
  3. Implement a framework for conducting Data Protection Impact Assessments (DPIA).
  4. Assess the cybersecurity policies, practices, and controls in place to ensure they are consistent with industry-recognized standards.
  5. Enable consumers to opt-out of the sale of their personal information (where applicable).
  6. Update public-facing privacy policies to, among other changes, pledge not to re-identify de-identified personal data and provide details on its data processing activities.
  7. Develop mechanisms for accepting, tracking, verifying, and honoring consumer requests to access, correct, delete, and opt-out personal data under the CDPA.
  8. Ensure that your customer service employees have accurate knowledge of the regulations to satisfy consumer requests efficiently and predictably.

Finally, while 2023 may seem a distant future, don’t postpone building your compliance plan.

If other recent privacy laws taught us anything, it’s that these initiatives require extensive efforts and time to carefully plan, spot gaps in your privacy mechanisms, and implement new policies, processes, and remediation efforts.

It is not too early to start CDPA compliance efforts as more states, such as New York and Washington, begin to enact consumer privacy protection laws.

As more state legislatures become active in passing consumer privacy protection bills or laws, one thing becomes clear: ensuring customer privacy can no longer be an afterthought. It must be baked into your business model.

Get a Taste of One of the Most Privacy Aware A/B Testing Tools Out There
Get a Taste of One of the Most Privacy Aware A/B Testing Tools Out There
Originally published April 21, 2021 - Updated November 10, 2022

Mobile reading?

Scan this QR code and take this blog with you, wherever you go.

Authors
Dionysia Kontotasiou
Dionysia Kontotasiou

Convert's Head of Integration and Privacy, helping customers with technical queries.

Editors
Carmen Apostu
Carmen Apostu

In her role as Head of Content at Convert, Carmen is dedicated to delivering top-notch content that people can’t help but read through. Connect with Carmen on LinkedIn for any inquiries or requests.

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!