Virginia Passes Privacy Legislation
Virginia’s state legislature in late February passed the Consumer Data Protection Act (CDPA), and Gov. Ralph Northam quickly signed it into law, making Virginia just the second U.S. state to pass a data privacy rule.
Some are already calling the CDPA Virginia’s answer to the European Union’s General Data Protection Regulation (GDPR) or the East Coast version of the California Consumer Privacy Act (CCPA). The CDPA, which takes effect Jan. 1, 2023, borrows from both, with some differences.
The CDPA requires consumers to provide explicit consent for data collection and use, which is more like the GDPR than the CCPA, which mandates that companies provide consumers with an opt-out methodology. The CCPA also only provides a right to know and be deleted while the CDPA gives consumers the right to access, correct, delete, and move their personal information.
The Virginia law also eliminates the revenue threshold; the CCPA applies to businesses with annual gross revenue of more than $25 million, while the CDPA applies broadly to anyone who conducts business in Virginia and either controls or processes the personal data of at least 100,000 consumers or derives more than half of its gross revenue from the sale or processing of data belonging to at least 25,000 consumers.
Another significant difference between the CCPA and the CDPA is that the latter designates the state’s attorney general as the sole enforcer of the law, while the CCPA has a consumer option. The CDPA does, however, allow for class-action lawsuits for violations that result in data breaches.
Fines for violating the CDPA could reach $7,500 per violation.
Adam Strange, a data classification specialist at HelpSystems, says, “It’s good to see laws like these becoming more commonplace in America.”
Other U.S. states, including Vermont, Ohio, and Alabama, are also working on consumer privacy and data protection legislation.
Strange, therefore, says now is the right time for organizations to review their data governance and protection requirements.
“They would be well-advised that employing data classification is the best-practice standard in the first steps to achieving a holistic data-centric security strategy and to ensure compliance with these incoming legislations,” he says. “Data protection is the one constant that must be maintained across all environments. Organizations hold and are responsible for safeguarding vast amounts of data, and this data must be appropriately protected, irrespective of its type or location.”
Strange and others say organizations now have complete responsibility to accurately identify, classify, and protect data. “An integrated combination of process and user-centric, people-based capabilities is required, alongside technology, to deliver relevant data protection strategies for each business and its users,” he states. “As we see more data protection legislation come into effect, the necessity to keep businesses and data safe while facilitating access and usability for all user groups will become infinitely more challenging. The use of effective data classification tools will become paramount as organizations seek to comply with these new standards.”