April 20, 2021

Virginia CDPA: What Marketers Need to Know

Virginia CDPA will introduce restrictions on you if you operate or target residents of the state and you fall under the criteria of businesses that need to comply.

 Virginia Consumer Data Protection Act (CDPA) is now law, and judging from the GDPR, CCPA, and LGPD experience so far, early preparation is critical for marketers.

CDPA comes into effect on January 1, 2023, which happens to be, coincidentally, the exact date when the enforcement of CCPA 2.0 (California Privacy Rights Act) also begins in California. Definitely a massive year for marketers and data privacy compliance as a whole. 

Virginia CDPA will introduce restrictions on you if you operate or target residents of the state and you fall under the criteria of businesses that need to comply. More of that later.

In a nutshell, under the Virginia CDPA, you must;

  1. Respond to specific, verified requests from consumers in the state to take responsibility for, edit, or delete their personal data within 45 days.
  2. Have clear and specific privacy notices and disclosures about your data processing activities
  3. allow consumers to opt-out of the processing of personal data in particular cases. Additionally, you must avoid processing specific categories of sensitive personal data without an explicit opt-in
  4. carry out Data Protection Impact Assessments (DPIAs) of your processing activities and identify the types of personal data that may be vulnerable to privacy breaches. 

Virginia CDPA is not revolutionary because its provisions bear similarities with existing or upcoming data privacy laws. However, most analysts concede that it is most similar to the Washington Privacy Act (WPA) when compared across the board. 

In this article, we explore the most notable provisions of the Virginia Consumer Data Protection Act and how they will impact marketers when it comes into effect.

Table of Contents

  • Who needs to comply with Virginia CDPA? 
  • What rights do consumers have under the Virginia CDPA? 
  • What does Virginia CDPA say about Targeted Ads?
  • How does Virginia CDPA compare with CCPA? 
  • How can marketers prepare? 

Who Needs to Comply with Virginia CDPA? 

If you operate in, or target Virginia consumers, you will be required to comply with the the new data protection act if; 

  • You control or process the personal data of at least 100,000 users 
  • You manage or use the personal information of at least 25,000 consumers and obtain more than 50% of your gross income from selling personal data. 

The only entities exempt from complying with the Virginia Consumer Data Protection Act are; 

  • State or local governments. 
  • Specific categories of personal data that fall under the scope of federal regulations.

What Rights do Consumers have Under Virginia CDPA? 

Under the Virginia consumer law, data subjects are entitled to; 

  • Know if you are processing their personal information or not
  • Get access, edit, or even delete their personal data that you may have in your possession
  • Receive a copy of all the categories of personal data you may have collected about them
  • Opt-out from your processing of their personal data for targeted advertising purposes, sale, or profiling that can impact the data subject in question. 

Unlike the CCPA, Virginia’s data protection act does not give consumers the private right of action. Instead, this responsibility lies with the state’s Attorney General. 

In case you are accused of violating this consumer protection Act, Virginia’s Attorney General is the only party allowed to lodge a lawsuit against your company. 

If found guilty of infringing CDPA requirements, you can receive a maximum fine of $7,500 for every violation, excluding related legal expenses and lawyer fees. 

But, who is a consumer? Well, the Virginia Consumer Data Protection Act describes a consumer as any natural person residing in Virginia so long as he/she acts in the interests of an individual or a household. 

A notable aspect of the CDPA’s definition of a consumer is that it does not provide any protections for consumers when acting on behalf of a business or as an employee. 

This is unlike the CCPA, which does not restrict its definition of a consumer to an individual or household context. 

What does Virginia CDPA Say about Targeted Ads? 

The targeted opt-out requirement in the Virginia privacy law is quite interesting, especially when comparing it with the CCPA. 

The need to give consumer opt-outs for sale, targeted ads, and specific kinds of profiling indeed extend to a wide variety of identifiers used in the adtech industry, such as cookie and mobile ad IDs. 

With the addition of opt-outs for targeted ads and profiling, it goes without saying that CCPA’s opt-out requirements are much narrower compared to those contained in the Virginia Consumer Data Protection Act. 

As a marketer, sound advice equates to having an opt-out mechanism that manages the sharing of personal data collected for all behavioral marketing purposes. 

For context, under Virginia’s privacy law; 

Targeted advertising; displaying ads to a user based on personal data you collected from their activities over time across different websites or digital apps that can give pointers to the data subject’s preference or interests. 

Profiling; any kind of automated processing of personal data to assess, analyze, or predict an identified or identifiable person’s economic status, health, personal taste, location, conduct, movement, or interests. 

Another interesting aspect about the Virginia consumer law is in relation to B2B marketing. When you go back to the definition of who is a consumer under the CDPA, in that case, the regulation clarifies that it refers to any Virginia resident acting in an individual or household context. 

This means that consumers who are acting on behalf of a business or as an employee are not entitled to the consumer rights set forth by Virginia’s data protection law. 

As such, there is some leeway for B2B (business-to-business) or B2G (business-to-government) targeted ad campaigns. 

How does Virginia CDPA Compare to CCPA and GDPR? 

In terms of similarity, GDPR, CCPA, and the CDPA give users the right to know what kind of personal information a company holds about them, ask the data controller not to sell it, or make a request to have it deleted if need be.

In terms of scope, the CDPA will work just like GDPR. If you collect the personal information of Virginia consumers, you need to comply with CDPA whether you have headquarters inside or outside the state.  

On the other hand, there are notable differences between the Consumer Data Protection Act and the Golden State’s CCPA;

Exclusions; Consumer Data subject to GLBA and HIPAA is exempt from the scope of the CCPA, although the institutions that control such data are not.

 In contrast, if you are subject to GLBA or HIPAA, you are exempt from CDPA compliance. 

Clear Definition of ‘Data Sale’; When it comes to CCPA, the definition of selling data can be up to interpretation since, in some cases, data sharing can be viewed as a sale. 

This is not the case with CDPA, which requires direct, monetary compensation for it to count as a sale. 

Employee data; CDPA makes it explicitly clear that it does not apply to employee data from its definition of a consumer, which is unlike the CCPA, which also extends its scope to employee data. 

How can Marketers Prepare? 

1. Marketers should lead the charge for their company’s CDPA compliance. Your starting point is to connect with the legal and IT/web departments. 

Typically, as a marketer, you are a “controller” of data being managed by “processors” such as Salesforce, Google, or Facebook Ads.  

You need to audit all your processors and ensure your processing activities are compliant with Virginia’s new data protection Act. 

2. Secondly, you need to coordinate and obtain all the necessary documentation and privacy notices on your website. 

You also need to liaise with your IT and web teams to make arrangements to carry out all the necessary website adjustments before Virginia CDPA comes into effect. 

You need all departments aligned with your data protection strategy because data hygiene is a responsibility for anyone who touches consumer data, including Salesforce admins, CRM users, etc.

 If you do not set up workflows that prioritize data hygiene across all customer touchpoints, you run the risk of having gaps in your data privacy program, and we have seen how this story ends. Fines. 

3. An easy way to speed up your preparation for the new Virginia consumer law is to minimize your reliance on Personally Identifiable Information (PII). Basically, ensure that every piece of consumer data you intend to collect is truly essential. 

If you’re using an advertising platform, it is likely they are already working on a way to aggregate measurement to eliminate the need for PII. 

You should do the same. The less the personal data you hold, the lower your risk of exposure to Virginia CDPA’s fines.

Overall, consider the new Virginia consumer law as an opportunity to cultivate trust with your customers. 

When you handle your customers’ data as a great responsibility, and it becomes clear to them that your organization considers it as such, you already have a head start on your competitors. 

Demonstrating transparency in what information you’re collecting, why, and how you intend to use it from the word go is an unmissable chance to prove goodwill between your brand and the consumer. You will reap the benefits in due time. 

If you have any concerns or additional questions about Virginia CDPA, book a 30-min call and get guidance from a data privacy expert. 

Take a look at our Complete Guide to the New US Federal Data Privacy Bill (ADPPA).