The Virginia Consumer Data Protection Act (CDPA) is part of a new wave of data privacy legislation spreading across the United States, leaving businesses scrambling to adapt. As with these other laws, the first question businesses need to ask is, “Does the CDPA apply to us?”
To help answer that question, we’ll go over the CDPA’s applicability and geographical scope.
Being a state law, it may seem reasonable to assume that the CDPA only applies to businesses located within Virginia, but that is not the case. The CDPA can apply to any business, regardless of where it is located.
How is that possible? The law is written not to regulate Virginia businesses, but instead to protect Virginia residents. Because data privacy is so closely tied to the internet and online businesses from all over the world can affect Virginians’ privacy, the CDPA focuses on the extent to which a business is collecting and processing data about people within the state, as discussed below.
Since geography has nothing to do with whether the CDPA applies, each business must perform the following two-step analysis to determine whether it must be in compliance.
While there is not yet any explicit guidance on what this means, it is generally considered a low bar to meet. If you have an online business and sell products to people in Virginia, you are likely to be considered as “conducting business” in Virginia.
In order to calculate the totals in the second step of the analysis, it’s important to understand what it means to control or process personal data.
“Controlling” means you are the one determining how the data is used. For example, if you send promotional emails out to potential customers, it’s possible you use outside vendors both to collect email addresses and send the promotions out to your mailing list, but you are the one calling the shots, so you control that data. “Processing” includes essentially any handling of data, from performing analytics to simply storing it on a cloud server.
Personal data is any information “linked or reasonably linked to an identified or identifiable natural person.” This encompasses a wide range of information from phone numbers to IP addresses and cookie identifiers. It is this online data that is likely to account for most of your total number of consumers, as every unique visitor to your website from Virginia should be counted.
If you believe the CDPA applies to your business, it’s time to begin forming a strategy. TrueVault Polaris can help your business reach its privacy compliance goals quickly and cost effectively. Created specifically for small and medium-sized businesses, Polaris condenses the complexities of privacy law into an intuitive, step-by-step process you can complete yourself. To learn more or schedule a demo, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2024 © All Rights Reserved. Privacy Policy | Terms of Use | Supplemental Terms | California Privacy Notice