Two new US data protection statutes go into effect for California and Virginia: the California Consumer Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA). Both laws will provide consumers with greater rights over their personal data.
You have only a few more weeks to update your data protection program to prepare.
- While California’s CCPA became enforceable on July 1, 2020, the CPRA expands upon and updates the CCPA. Specifically, it gives Californians additional rights, such as the right to correct and the right to limit use and disclosure. The CPRA also requires employers to provide enhanced protections to employees, contractors, job applicants, board members and dependents receiving benefits through the employer.
- The CDPA gives Virginia consumers similar rights, including the right to access their personal data, the right to correct inaccurate personal data, the right to delete their personal data and the right to receive data in a portable format.
The CPRA and the CDPA may majorly impact businesses that collect, use or sell personal data. Businesses will need to comply with new consumer rights and requirements around data security, data breach notification and recordkeeping. Companies must also adapt their marketing and advertising practices to comply with the new regulations.
The California CPRA
The CPRA strengthens the California Consumer Privacy Act of 2018 (CCPA) in several ways, including expanding the definition of personal information, increasing penalties for violations and extending the law to cover more businesses.
To Whom the CPRA Applies
If your organization has even one employee in California, the CPRA applies. Even if you have remote employees working in California, the law applies. Employers subject to the CPRA should implement/update policies and procedures by:
- Forming teams to spearhead CPRA compliance efforts
- Performing data-mapping exercises to pinpoint all sources and flows of HR data, documenting how it is handled
- creating and carrying out a compliance plan in the remaining weeks
You will also need to comply with the CPRA if your company services consumers in California, made over $25m in revenue globally during the previous calendar year, buys or sells or shares information of 100,000 or more consumers or households, or derives 50% or more of annual revenue from selling or sharing personal consumer data. Remember, when meeting these criteria, the CPRA applies to any business that collects, processes or sells the personal information of California consumers, regardless of where the company is located. This means that even businesses outside of California must comply when meeting these thresholds.
CPRA Compliance Checklist
Review this CRPA compliance checklist to determine if you’re ready:
- Determine if the CPRA applies to your organization
- Discover and classify all CPRA information your organization holds, receives, processes and shares by taking an inventory of CPRA data for HR & B2B data
- Conduct privacy risk assessments to safeguard data
- Update your privacy policy and disclosure notifications
- Update your policy and processes for dealing with sensitive personal information (SPI), a special category of data with stricter disclosures, limitations, opt-in and opt-out clauses
- Update your policies to reflect changes to nomenclature in the CPRA, such as ‘sharing’
- Define breach thresholds and response workflows
- Construct an appeals workflow to deal with contested decisions
- Streamline data flow mapping to monitor privacy risk
- Automate end-to-end data rights fulfillment
- Update your collection and storage processes for purpose limitation, storage constraints and data minimization requirements
- Execute data retention policies at scale
- Manage and monitor third-party data sharing
CPRA Penalties
Businesses that violate the CPRA may be subject to various penalties, including fines, consumer lawsuits and damage to their reputation. The California Attorney General may impose civil penalties of up to $2500 per violation or $7500 per intentional violation. The maximum penalty for a single violation is $7.5m. In addition, the CPRA allows consumers to file lawsuits against businesses for violations of the law. Consumers can recover damages of up to $750 per violation or actual damages, whichever is greater. They can also recover attorneys’ fees and costs.
The Virginia CDPA
The Virginia Consumer Data Protection Act is designed to protect the personal data of Virginia consumers. Consumers will be extended rights over their personal data, including the right to access, rectify, delete, request copies and opt out of processing. Businesses will be required to make disclosures about the personal data they process, conduct impact assessments to ensure they do not infringe upon privacy rights and apply safeguards to protect personal data.
To Whom the CDPA Applies
The law applies to organizations conducting business in Virginia as well as those offering or targeting products or services to residents of Virginia when the threshold reaches 100,000 consumers, or 25,000 consumers whereby at least 50% of revenue comes from the sale of personal data.
CDPA Compliance Checklist
Review this CDPA compliance checklist to determine if you are ready.
- Determine if the CDPA applies to your business
- Determine if your organization is exempt: state agencies, compliance with the GLBA or HIPAA, non-profits and higher education institutions
- Update policies and procedures to accommodate data subject rights to access, correction, deletion, portability, right to know, right to opt-out, right to non-discrimination and other rights
- Check procedures to track free inquiries
- Ensure safeguards are implemented in a written information security plan for administrative, technical and physical data security practices to ensure the confidentiality, integrity and accessibility of personal data
- Post privacy notices and disclosures
- Limited data collection and ensure adequacy
- Conduct a formal data protection assessment of all data collection and processing activities
- Ensure controllers enter into data processing agreements (DPAs) with processors
CDPA Penalties
Businesses that violate the CDPA may be subject to a number of penalties, including fines up to $7500 per violation and is enforced by the Virginia attorney general.