Decoding Virginia’s New Consumer Data Protection Act (CDPA)

This article does not constitute legal advice, and is instead a guide to new, relevant legislation for marketing practitioners. Please confer with your legal counsel before making any decisions in regard to CDPA.

*Update: On March 4, 2021, Governor Ralph Northam signed CDPA into law.*

---

Consumer data privacy is no light matter. As more people become aware of the risks of sharing personal information with any number of parties, the stakes have increased exponentially. 

(87%) of consumers say they will take their business elsewhere if they don’t trust a company is handling their data responsibly.

PWC Research

Regardless of the sensitivity of the information, businesses are now expected to keep all PII secure, yet accessible enough to the business to comply with any requests the consumer may have, such as amending or deleting their data from any database. 

More individual states are taking a cue from larger, more sweeping privacy legislation like the European Union’s General Data Protection Regulation (GDPR), like California’s recent California Consumer Privacy Act (CCPA) and Virginia’s proposed Consumer Data Protection Act (CDPA).

How can Virginia-based companies prepare to be compliant with CDPA and ensure their consumers are protected, while also maintaining a modicum of normalcy in their own data procedures for sales, marketing, and more? Let’s walk through it together.

CDPA is like CCPA, with a twist.

The core tenets of CDPA are very similar to those of California’s legislation, CCPA. In short, they include consumers’ rights to: 

• Request access to their own personal data
• Correct their information 
• Request the deletion of their data
• Opt-out of data-driven, targeted advertising

A notable difference, though, is the CDPA’s exclusion of a private right of action included in CCPA, meaning there is no potential for any individual consumer to levy a claim against a business for mishandling of their personal data. This makes the legislation a bit more “business-friendly” than CCPA, but certainly does not diminish a business’s need to be diligent in their data privacy standards. The fact remains, if you’ve prepared for CCPA, you’re well-positioned to comply with CDPA without much turmoil.

Start to pay attention.

If enacted, this change won’t be effective overnight, giving marketers ample time to prepare. If Governor Ralph Northam does sign the legislation, its effective date is January 1, 2023.

Once the date arrives, if a business is found to be noncompliant with the law, they receive a 30 day “safe harbor” period in which they are allowed to fix the identified issue without incurring a true violation. So while you’ll want to be fully prepared for January 1, 2023, you’ll have some grace if you missed something or run out of time.

There are some specific points to note on the legislation itself before you work yourself into a frenzy of preparation. First, most of these provisions only apply to companies collecting information of more than 100,000 Virginians per year, unless you’re a processor of PII (sit this article out, if you are). Certainly, even if you’re currently under this threshold, you should still work to be fully compliant if the limits lower or your business grows. Plus, if you do business with individuals across the country, states considering similar laws could be enacted with lower thresholds, putting you at risk.

What should marketers do to prepare? 

Marketers should lead the charge for their company’s CDPA compliance. Start with connecting to the legal and IT/web departments. Most commonly, marketers are “controllers” of data being maintained by “processors” such as Salesforce, or Google and Facebook Ads. Your job is to audit which processors you’re using to ensure your use of the tools in your stack is compliant with the new law. 

Similarly, to get all required documents and announcements on your website, the IT and web teams will need to be prepared to complete all the necessary site adjustments before CDPA’s enforcement date.

Frankly, you’ll want all departments aligned with your data protection strategy, because data hygiene will need to be adhered to by anyone who touches data, including Salesforce admins, CRM users and so on. Without adoption of a data hygiene workflow spanning the entire customer journey, you run the risk of having gaps in which privacy falls short.

One of the easiest things to do to prepare is to simply reduce your need for PII. Assess whether you truly need every piece of data you intend to collect, then ask for only the data considered essential. If you’re using an advertising platform, it is likely working on a way to aggregate measurement so as to not rely on PII, and you should take the same approach. The less you have to be compromised, the lower your risk of disaster.

No matter the circumstances, look at this as a chance to build trust with your customers. When you treat your customers’ data as a great responsibility, and they are aware you take it seriously, you start their journey on a positive, solid note. Being transparent in what information you’re collecting, why, and how you’ll use it is a great opportunity to prove goodwill between brand and consumer, and will pay dividends in the long-run.