March 18, 2021
On March 2, 2021, Virginia governor Ralph Northam signed into law the Consumer Data Privacy Act (CDPA), which will take effect in 2023. The CDPA is similar to an existing data privacy law, the California Consumer Privacy Act (CCPA), in that it will give consumers the right to:
One key difference between the two regulations is that, under Virginia’s CDPA, individuals do not have a right to private action for a data breach like they do in California.
DOES IT APPLY TO ME?
The CDPA applies to individuals and firms that:
Unlike California, Virginia does not have specific revenue-related requirements for determining which businesses are subject to these regulations, the CDPA applies regardless of revenue.
Certain regulated financial service entities, among others, are exempt from Virginia’s new data privacy regulation.
Also exempt from the CDPA is data already controlled by other regulations like the GLBA, the Gramm-Leach-Bliley Act. The GLBA, enacted in 1999, created obligations for financial institutions to protect consumer financial privacy, and safeguard non-public information. There are three main provisions of the GLBA:
If your business already is subject to the GLBA, then Virginia’s CDPA will not apply to you.
WHAT SHOULD I DO?
If your business meets the above requirements and does not qualify for an exemption, you should begin preparations for CDPA compliance. Virginia’s new law will go into effect on Jan. 1, 2023, giving businesses nearly two years to either modify operations to avoid being subject to these rules or to update policies and procedures according to regulations.
Regardless of CDPA status, your firm’s privacy policies should be reviewed and updated regularly to ensure compliance with any applicable laws and regulations. Because it can be difficult to keep up with new requirements, Fairview Cyber is available to help you determine which laws your business is subject to and then update your policies and procedures appropriately. Contact Fairview Cyber today if you have questions about CDPA, GLBA, or other data privacy laws and to start the conversation about what we can do for your business.