Last year, Virginia passed the Consumer Data Protection Act ("CDPA"), marking the Commonwealth's entry into the state data privacy law field. The Virginia privacy law goes into effect January 1, 2023. In this year's legislative session, the Commonwealth passed important amendments to the CDPA. With no regulatory body involved in implementing the CDPA, these amendments will likely be the final changes to the law prior to its going into effect at the beginning of next year.

How do the 2022 amendments affect the Virginia privacy law?

The Virginia legislature made two substantive amendments to the CDPA in 2022:

The expanded nonprofit definition effectively includes all types of charitable and political organizations. Nonprofits are, generally, exempt from the CDPA's requirements.

The more impactful and important change concerns the right to delete. First, it is useful to review some basic definitions contained in the data privacy law: (1) A data controller is the entity that exercises control over the consumer's data; and (2) a data processor is one that uses data obtained from the controller to carry out some business purpose (e.g., a payment company uses consumer information from the controller to complete a consumer transaction). Sometimes, controllers do not obtain consumer data directly from the consumer. Instead, controllers purchase consumer data from data brokers, companies that sell consumer data to businesses (usually for advertising purposes).

In the original version of the CDPA, consumers had the right to compel data controllers to delete the original version of the consumer's personal information. But in practice, data controllers sometimes purchase the data from data brokers, and thus cannot easily complete the deletion of the original form of the consumer's personal information. The Virginia legislature recognized this reality and, accordingly, amended the deletion requirement.

Now, when the law goes into effect, a consumer's right to delete will become a right to opt-out of data processing when the controller did not obtain the consumer's information directly from the consumer. When controllers who have purchased the consumer's data from another source receive a request to delete, controllers may comply with that request by either:

  • Keeping a record of the deletion request and only retaining the minimum amount of data necessary to comply with the deletion request and not using the retained data for any reason other than completing the deletion request; or
  • Opting the consumer out of processing of that data except for reasons exempted from the CDPA.

Why do these amendments matter to your business?

The amendment to the right to delete will affect businesses and how they prepare to comply with the CDPA by the effective date. In a nod to the realities of the industry, the Virginia legislature made compliance easier by further defining the right to delete. With CDPA compliance made more straightforward, businesses should begin in earnest to prepare for the law's kickoff next year.

An advertising industry reality is that a consumer's information may be bought, sold, and transferred several times across different companies. As a result, businesses have to be careful to understand whether and in what situations they are a controller, processor, and/or broker. As such, understanding your business's place in the advertising chain is crucial to ensure CDPA compliance.

Hire experienced privacy attorneys.

Including California's significant amendments, five new state privacy laws will go into effect in 2023 alone. Ensuring compliance with all of these laws is a mammoth task. Businesses must navigate the complexities and subtle differences between each law to stay compliant. Hiring experienced privacy attorneys can help make that compliance journey easier. The attorneys at Klein Moynihan Turco have experience in all things privacy and have been helping businesses stay ahead of the privacy curve for years.

Similar Blog Posts:

UCPA Compliance: Using CCPA Compliance Efforts to Prepare for the Utah Consumer Privacy Act

Privacy Policies for Websites and Mobile Applications

The CPRA Sensitive Personal Information Data Category

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.