CPRA & VCDPA – Are You Ready?

How to Stay Compliant with the New CPRA and VCDPA Privacy Data Laws

Data in America is currently regulated through a patchwork of laws. At the state level, there are privacy data laws and breach notification laws. Privacy data laws are always changing, and the two recent laws enacted in California and Virginia are proof of that.

Both the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) are set to take effect on January 1, 2023. Every organization should look at both laws and see what applies to them on the state and federal levels based on their data processing activities and industry. Let’s look at the requirements of these new laws and how to comply with them quickly.

New CPRA Requirements

The California Privacy Rights Act applies to all for-profit organizations that generate $25 million in gross revenue annually. However, the new laws also cover companies making less than $25 million but processing data for at least 100,000 Californians or making 50% of their revenue from selling personal data. It makes significant to the current California Consumer Protection Act (CCPA) laws through the following ways:

• Eliminates the employee exception – resident employees, emergency contacts, independent contractors, beneficiaries, members of the board of directors, and applicants have the same rights as consumers.
• Verifies consumer request – employees can make a verifiable consumer request to a company about the personal information they have on them. They may request the information be deleted, corrected, or not shared or sold.
• Provides for a notice of rights – employees should know their rights under CPRA and notify their employer of their right to exercise them. Employers have a limited period to respond to a request.
• Personal information distinction – personal information is any information that describes, relates to, identifies, or is capable of being linked or associated directly or indirectly with a consumer or household. Such information includes driver’s license number, Social Security number, passport number, state identification card, account log-in, debit or credit card number, geolocation, or ethnicity.
• Business-to-business (B2B) transactions – All B2B transactions are subject to CPRA

New VCDPA Requirements

Like the CPRA, the VCDPA has minimum thresholds for companies it applies to. The laws apply to companies that process the personal data of 100,000 or more Virginia residents. It’s also applicable to organizations with personal data of at least 25,000 Virginia residents and gets more than 50% of revenue from sharing or selling personal data. The new rules state that:

• Companies should inform consumers of their under VCDPA and provide a channel for them to exercise those rights
• Companies should obtain consent before collecting or sharing certain personal information such as precise geolocation, biometric data, and protected characteristics data
• Companies that partner with third-party service providers for data collection and storage should specify the third party’s responsibilities under VCDPA.
• Companies should exercise the data minimization principle by only holding on to personal data for the time required to achieve their purpose
• Companies implement reasonable security measures to ensure data is protected

The VCDPA will allow for a 30-day cure period. Uncured non-compliance could result in a $7,500 civil penalty per violation. Companies need to ensure they’re prepared for the new changes.

Ways to Stay Compliant with the New CPRA and VCDPA laws

There are various ways organizations can ensure they stay compliant with the new laws and avoid risking any consequences of non-compliance. These include:

• Doing an Internal Assessment: Conduct an internal audit of procedures to ensure compliance. This helps you know where gaps are, how to tackle them, and stay compliant with Virginia and California laws.
• Conduct data inventories and mapping: Know the type of sensitive data stored and where it’s stored and do a risk assessment of the system to know processes that may be considered high risk.
• Understand data flow and sharing: Know how you share data with third parties and how data flows into your organization. This will help you understand what contracts to have in place.
• Identify data processing activities: All organizational activities related to data processing should be disclosed in your policies.

Also, ensure that all of your personnel are educated on your processes, procedures, and policies.

Need Help? Reach Out.

If you need assistance operationalizing these new policies, we are available to help you. We work with organizations to help look at their vendor management program and other opportunities to move towards compliance in terms of programs and policies and mitigate risks. Reach out if you have any questions or need help determining where your organization should start.