Guide To Making Sure Your Business Follows CDPA
As a business owner, there are a number of different rules and regulations that you need to adhere to. To make matters even more confusing, legislation changes all of the time. It can seem like a minefield, but it is important that you take the various laws seriously so that you do not end up in serious legal trouble.
In this guide, we are going to focus on the Consumer Data Protection Act (CDPA), in particular. The CDPA was passed in Virginia this year on the 2nd of March. It grants your customers’ data rights and requires you to comply with a number of rules in regards to the data you collect, how you treat it, the measures you take to protect it, and who you share it with. Osano’s CDPA guide is a great resource to get a better understanding of this legislation and how it pertains to your business.
There are a lot of similarities between the CDPA and the California Consumer Privacy Act, as well as the EU General Data Protection Regulation. It is applicable to all entities that sell services and products to residents in Virginia, as well as those that do business in the area.
What does the CDPA require businesses to do?
There are a number of different requirements you must fulfil as per the CDPA, such as:
- You must allow consumers to delete their data
- You must allow consumers to opt-out of having their data sold
- You must disclose to consumers if you are going to sell their data
- You must obtain consent via opt-in for sensitive data processing
- You must comply with consumer requests to see data collected on them within 45 days
- You must provide consumers with a clear privacy notice that encompasses a way for them to opt-out of targeted marketing
Do you need to comply with the CDPA?
Before we go any further and explain the steps you must take when it comes to the CDPA, it is vital to determine whether or not this applies to you.
You will be subject to the CDPA if both of the following criteria apply to your company:
- You conduct business in Virginia OR you produce services or products that are targeted to residents of Virginia
- Throughout a calendar year, you process or control the personal data of a minimum of 100,000 consumers OR you process or control the personal data of at least 25,000 consumers and derive more than 50 percent of your gross revenue from selling their personal data
Some businesses are exempt from the CDPA
Even if a company meets the criteria mentioned above, it may be exempt from the CDPA. For example, if your company is based outside of Virginia and does not “target” Virginia consumers, it is exempt. In terms of “target,” this means that consumers in Virginia are part of your consumer base or intended audience. It does not mean that consumers in Virginia are prioritized over other states.
You will also be exempt from the CDPA if you are already subject to a federal privacy scheme. Some key examples here include the HIPAA for health information, the Gramm-Leach-Bliley Act for financial institutions, and the Fair Credit Reporting Act.
If you operate a B2B business, you may be exempt. This is not an automatic exemption, so do keep that in mind. However, it is based on the fact that it is unlikely that you will meet the 100,000/25,000 consumer threshold if you operate a B2B business.
What must your business do to adhere to CDPA?
Any business that holds consumer data is known as a data controller. If this applies to you, there are a number of different steps you need to take to follow the legal obligations that are in place under CDPA. Let’s take a look at these below:
The data you need to include is as follows:
- The personal data categories you collect
- The reasons (purpose) for collecting and processing the data in question
- The personal data categories you share with third parties
- The third-party categories with which the personal data is shared
- How consumers are able to exercise their CDPA rights
- How consumers are able to make an appeal against your decision regarding the CDPA rights they wish to exercise
- If you sell personal data to third parties
- How consumers can opt-out of their data being sold to third parties (if applicable)
- If you use personal data for targeted advertising
- How consumers can opt-out of their data being used for targeted advertising (if applicable)
Only collect necessary and relevant data
Handling data access requests
Now, we are going to take a look at the rules that are in place with regard to how consumers exercise their data rights.
Consumers have the ability to make two requests for data access per annum without being charged. If they make any further requests, you would only be able to charge for this if you can prove that the request is repetitive, excessive, and manifestly unfounded. If this is the case, you must only cover administrative expenses and the charge must be reasonable.
Once a consumer has made a request, you must respond within 45 days. If it is going to take longer, the consumer must be informed and this is only allowed if it is reasonably necessary. You can only extend this to 90 days.
Irrespective of the deadline, responding without undue delay is vital.
Can you refuse a request? This is only allowed if it is not possible for you to do so using efforts deemed commercially reasonable. Should you not have sufficient information from the consumer, you need to ask for it. If a request is refused, you must explain why and it is vital to recognize that the consumer can appeal the decision.
Should the consumer make an appeal, you then have 60 days to put together a response.
Take the required steps to secure data
Data security is critical for all businesses today. It seems that a day does not go by without news of a data breach, and this is why it should not come as any surprise that security is a key area of the CDPA.
The CDPA states that sufficient security measures need to be taken to ensure that personal data remains complete, accessible, and confidential. This should include technical, physical, and administrative measures.
The CDPA also states that a formal data protection assessment needs to be conducted, which should cover the way in which you process any of the following:
- Personal data that is sensitive
- Personal data that is used in a manner that generates an increased risk of harm to consumers
- Personal data that is used for profiling
- Personal data that you use for targeted marketing
- Personal data that you sell
When carrying out the assessment, make sure it takes into consideration the risks and benefits for both you and the consumer, as well as the relationship you have with the consumer and any safeguards you utilize.
When you have conducted the assessment, you do not necessarily need to decide on whether you proceed with processing based on the conclusions. However, it is essential that a record of the assessment is kept.
Should the Attorney General investigate an alleged CDPA breach at a later date, they will demand a copy of the applicable data protection assessment. This could end up impacting the conclusions they draw regarding who is responsible for the breach, so it really is critical.
Breaching CDPA can result in a penalty
Unlike some other privacy rules, a consumer who alleges a CDPA breach is not able to take legal action themselves.
However, the Attorney General in Virginia can order a company to rectify any violation with 30 days. If they do not do this, a maximum of $7,500 per violation can be imposed as a civil penalty. To make this clear, you could find yourself needing to pay $7,500 per every person impacted, as every individual counts as a separate violation.
Final words on ensuring you comply with the CDPA
So there you have it: a full insight into the CDPA and the steps that businesses need to take to adhere to this new act. Data protection is critical, and you cannot ignore your responsibility to do everything in your power to protect consumer data.