Last updated on 03 December 2021 by William Blesch (Legal and data protection research writer at TermsFeed)
If your company will be collecting personal information from the residents of Virginia who register for your services online or visit your website, then you are required to comply with the terms of the state's Consumer Data Protection Act (CDPA).
The CDPA will become effective on January 1, 2023.
CDPA (Virginia Consumer Data Protection Act) is a privacy legislation that applies to anyone that does business in the Commonwealth of Virginia.
Virginia's CDPA brings the United States a giant leap forward toward the same kind of rigid privacy and data security laws found in the European Union. Some have also compared the CDPA to California's Consumer Privacy Act (CCPA), which, until the CDPA passed, was the most stringent data privacy law in the United States.
However, the CDPA surpasses the CCPA in its imposition upon companies of security and assessment requirements.
The CDPA applies to anyone that does business in the Commonwealth of Virginia. It also applies to those who provide services or who produce products targeted to the state's residents.
Additionally, the CDPA applies to you if your company:
The law's definition of consumer is "a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context."
According to the CDPA, the definition for "Personal Data" is "any information that is linked or reasonably linkable to an identified or identifiable natural person." Exceptions to this definition include:
The CDPA outlines what kinds of personal information are considered private and which you must protect. These are:
Under the CDPA, "consent" is "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." You are required to acquire the explicit consent of Virginia residents before processing any of their personal information.
Reasonable expenses may also include attorney's fees.
You may find answers to the list of the following questions useful.
If you do business in the Commonwealth of Virginia, then yes.
Lawmakers weren't super clear about what that actually means. However, if you use the CCPA as a model (whose legislators were more conscientious in providing businesses with clear definitions and instructions), then in addition to ensuring the information mentioned above is included, you'll want to:
You can alternatively use an unticked checkbox next to a statement like that mentioned above. To advance, users would have to tick the checkbox to affirm that statement.
For example, Dollar Tree lists an incredibly long list of personal data categories it collects from customers and the specific types of data it collects:
A context and specific types of data are given for each instance where information is collected:
- Account Registration: We collect your name, contact information, and password information when you create an account. We also collect information relating to the actions that you perform while logged into your account.
- Client Information: We collect the name and contact information of our clients and their employees with whom we may interact.
- Cookies and Third-Party Tracking: We participate in behavior-based advertising, which means that a third party uses technology (e.g., a cookie) to collect information about your use of our website so that they can provide advertising about products and services tailored to your interests on our website, or on other websites.
- Coupons/Loyalty Program Information: We may collect your telephone number, email address, name and other contact information, birthday, gender, location information, personal preferences, and password information to administer loyalty and coupon programs.
Dollar Tree goes on to list other categories for which personal information is collected. These include:
The next section you should include is how you use and process personal information. A Virginia-based company that lays everything out on the table is DXC.technology. Like Dollar Tree, it goes into explicit detail as to how consumer information is both used and processed.
Just one example is how the company uses data to fulfill transaction requests:
A few other ways DXC uses and processes consumer data is to:
Every company that collects personal information from its customers should specify the information they share with third parties as well as what category of third parties it shares data with.
Here's how General Dynamics discloses this information:
Make sure you include a section that details how consumers can exercise their rights under the CDPA.
Northrop Grumman provides the information consumers need, but they certainly aren't as simple and easy to understand in their language as perhaps they should be:
The CDPA sets out some of the most comprehensive requirements for companies that do business in the Commonwealth of Virginia. Similar in many ways to California's CCPA, the CDPA lays out rules for the privacy and protection of the personal information of Virginia residents.
More specific Privacy Templates are available over our blog.