By now, you’re probably familiar with the California Consumer Privacy Act (CCPA), which went into effect on the first day of 2020. Though it’s a state law, it impacts how businesses across the globe manage the personal information (PI) of California’s residents. But CCPA’s legacy is that it redefined what PI actually is:
“Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
To clarify further, PI includes direct identifiers such as name and address, as well as indirect identifiers such as IP addresses and cookies. The definition also extends to biometric data, Internet activity, and more. The moral of the story is that going forward, companies will need to design their data ecosystems to be flexible to meet privacy requirements since even the very definition is a moving target.
Enter the Virginia Consumer Data Protection Act (VCDPA), which some are calling the CCPA of the East Coast. No matter what you call it, the concept has quickly jumped across the country, and become a reality for Virginia businesses. Some say this may open the floodgates for Washington to consider a national privacy law. Regardless, businesses that collect or process Virginians’ data will likely be affected, so businesses should prepare. Although many lawyers are saying VCDPA is more business-friendly than CCPA, there are new and different requirements that need to be addressed like corrective action and data protection assessments.
CCPA VS. VCDPA: A QUICK COMPARISON
First, let’s define which businesses are subject to VCDPA. While the graphic below shows the two scenarios that make a business subject to the law, if your website receives more than 275 unique Virginia visitors per day, your business is likely to be in scope for VCDPA.
Note one important omission: there are no revenue threshold imposing obligations. While California said any company with revenues over $25 million is subject to CCPA, Virginia does not make this blanket stipulation for large companies— which may be an advantage for large B2B companies that don’t process more than 100,000 Virginians’ PI data.
In addition, Virginia’s law doubles the number of Virginia consumers a company can process (to 100,000) without being subject to the law and explicitly omits a person from its definition where they are "acting in a commercial or employment context.” Taken together, these factors essentially mean that VCDPA does not cover B2B or employee data. Additional differences between the two laws can be found in the chart below.
HOW COMPANIES CAN PREPARE FOR DATA PRIVACY LAWS
Many companies find themselves in one of three categories as it relates to data privacy efforts:
Already Automated:If you’ve already taken the time to implement automation for data privacy—due to CCPA or otherwise—then you’ll likely be in good shape for VCDPA, or as other states adopt privacy laws.
Manual Approach:Making an effort to track your data privacy activities demonstrates a strong commitment to compliance, but ever-changing regulations will quickly render any manual approaches untenable. The arrival of VCDPA means it’s time to start automating the most time- consuming aspects of your privacy work.
Haven’t Started:You’re likely behind, especially if more legislation starts passing. (So, it’s probably time to start getting more proactive more your data privacy efforts.)
Whether you’re doing data privacy well, transitioning to an automated approach, or starting from scratch, there’s good news: there’s a roadmap for what you need to do to start being compliant—or to take your data privacy efforts to the next level—outlined in the five steps above.
You may have noticed that the requirement to perform a data protection assessment (DPA) is specific to VCDPA. It sets the expectation for you to review processes, identify any risks, and explain the steps you’re taking to remediate that risk.
This is critical if your business:
Processes data for targeted advertisements
Sells or profiles personal data
Processes sensitive data or if processing has heightened risk to consumers
So again, no matter where you fall on the spectrum of preparation, there is always much to unpack when these new data privacy laws go into effect.
TURN POTENTIAL PRIVACY REQUIREMENTS INTO OPPORTUNITY
Virginia may be a proxy for the future of data privacy laws. But while new mandates are likely on the horizon, there is a silver lining: Forrester research has proven that investing in data privacy has a positive ROI, especially when you account for the expensive impact of a data breach or quantify the benefits of trust and privacy appreciation. That means there’s legitimate value—and the potential for new or increased brand loyalty—if you’re willing to protect your customers. The time to start building a sustainable ecosystem is now.
Pete is a principal in CapTech’s Richmond office and a thought leader in the area
of data and analytics. With over 25 years of data management experience with
an expertise in data governance and data privacy, Pete has a constant focus on
continually learning and evolving organizational data architectures.