[BreachExchange] GDPR and CCPA Left Gaps in Consumer Data Protection. Virginia’s New Privacy Law Closes Them
Inga Goddijn
inga at riskbasedsecurity.com
Thu May 20 10:22:11 EDT 2021
https://www.corporatecomplianceinsights.com/virginias-new-privacy-law-closes-gaps/
In early March 2021, Virginia passed a data privacy law
<https://www.corporatecomplianceinsights.com/virginia-consumer-data-protection-act/>
called the Consumer Data Protection Act (CDPA)
<https://lis.virginia.gov/cgi-bin/legp604.exe?211+sum+SB1392>. The CDPA
brings together a combination of concepts from the California Consumer
Privacy Act (CCPA)
<https://www.corporatecomplianceinsights.com/california-privacy-law-update-ccpa-amendments-announced-and-cppa-board-members-appointed/>
and the European Union’s General Data Protection Regulation (GDPR)
<https://www.corporatecomplianceinsights.com/gdpr-compliance-impact-first-year/>.
It also makes data privacy regulations easier for the public to understand
and leverage. There is reason to believe that this will result in more data
subject access requests, which could have a similar effect in California,
the E.U., and other jurisdictions that pass data privacy laws in the future.
The good news for Virginia companies is that the CDPA has been adjusted to
avoid many of the compliance headaches both the CCPA and GDPR have created.
The CDPA proposes narrower definitions regarding development and
implementation that exclude the categories of data and businesses where
there was (and still is) some confusion with respect to compliance. Now
that the law has passed, what does it mean for companies with ties to
Virginia that have been working to comply with regulations such as the GDPR
since 2018?
Virginia has become the second state to enact a comprehensive consumer #data
<https://twitter.com/hashtag/data?src=hash&ref_src=twsrc%5Etfw> #privacy
<https://twitter.com/hashtag/privacy?src=hash&ref_src=twsrc%5Etfw> statute
in the U.S.
There are aspects that the CDPA are similar to the CCPA and the upcoming
CPRS – but also different.
So are we going to end up with 50 versions in the country?
— Theodora (Theo) Lau – 劉䂀曼 (@psb_dc) March 11, 2021
Although companies do not need to comply with Virginia’s new privacy law
until 2023, it’s important they implement a strategy now. To fully
understand how this new data privacy law can apply to your company, let’s
take a look at some key points from the CDPA, such as consumer rights, data
processing obligations, data controllers and data processors. From there,
we’ll explore where and how companies may need to enhance their privacy
policies and data processes.
Understanding the Key Points of the CDPA
*Consumer Rights*
Virginia consumers will have the right to know whether or not a business is
processing their personal information. They will also have the right to
access their personal information and to obtain a copy of it in a readily
usable format. Going further, they will be able to request that
inaccuracies in their personal information be corrected by the business
that holds it, taking into account the nature of the information itself and
the purposes of the business’s processing of the consumer’s information.
Additionally, they will have the right to obtain a copy of their data from
the controller in a portable and readily usable format that allows them to
transmit the data to another controller. And finally, consumers will have
the right to opt out of several different uses of their personal
information, including targeted advertising, the sale of their personal
information and profiling in furtherance of decisions that produce legal or
similarly significant effects.
*Consumer Rights Response Time and Obligations*
Businesses that are subject to Virginia’s new privacy law must respond to
requests by consumers to exercise these rights without “undue delay” within
45 days of receipt. There is, however, an additional 45-day extension
available if reasonably necessary for the business to comply. If a business
needs the additional extension, it still must respond to the consumer
during the first 45-day period and provide the reason for the delay.
Should a business decline to respond to a consumer request, such as when
the business cannot authenticate the consumer’s identity, or if the data
requested is not of a nature that is subject to the statute (like
employment data), the business may decline to take the action requested by
the consumer. In that case, the business must provide the reason for
declining and instructions about how to appeal that decision, all within 45
days of receipt of the initial request from the consumer. Any appeal must
be decided within 60 days of receipt, and a written explanation must be
provided to the consumer, together with a method for the consumer to
contact the Attorney General to submit a complaint.
*Data Processing Obligations*
The CDPA sets out several obligations similar to the GDPR for businesses
processing personal data. These obligations include:
- *Data Minimization:* Businesses must limit the collection of personal
data to “what is adequate, relevant and reasonably necessary” in relation
to the purpose for the data processing.
- *Purpose Limitations:* Businesses must process personal data only for
purposes reasonably necessary or compatible with the purposes disclosed in
the business’s privacy policy.
- *Security Controls:* Businesses must establish, implement and maintain
“reasonable administrative, technical and physical data security practices”
to protect the confidentiality of personal data.
- *Consent:* Businesses must obtain express consent from consumers when
the business processes sensitive data or deviates from the purposes
disclosed within the business’s privacy policy.
- *Data Protection Assessments:* Businesses must conduct data protection
assessments (DPAs) to evaluate the risks associated with the following data
processing activities:
- The sale of personal data,
- When processing sensitive personal data,
- When processing personal data for targeted marketing purposes,
- When processing personal data for profiling purposes and
- Instances where processing presents a heightened risk of harm to
consumers.
*Data Controllers and Data Processors*
Just like the GDPR and CCPA, Virginia’s new privacy law reiterates that
“controllers” are fully responsible for their “processors.” This requires
that there is a contract in place between a company and all of their
vendors who share or sell data between each other and that it must include,
at a minimum, provisions that address:
- The type of personal data to be shared;
- Instructions detailing the processing done by the recipient of the
personal data;
- The duration of the processing;
- A duty to maintain the confidentiality of the personal information by
both parties;
- An obligation that the processor deletes or returns the data to the
controller at the end of the services unless the processor is legally
required to retain it; and
- A right of the controller to assess the processor’s policies (itself,
or by using a designated assessor) and technical and organizational
measures with respect to compliance with CDPA — effectively an
audit/diligence provision — along with the right of the controller to
receive a report requiring the processor to flow these obligations to
downstream vendors and subcontractors.
What’s Next For Virginia Companies?
Virginia’s CDPA will take effect January 2023, which gives the state plenty
of time to outline and update exceptions to the law. That means what’s
detailed above could change before it’s fully enforced. In addition, the
exemptions to the law, which were not covered above, could also change
prior to the enforcement date.
However, what’s great about the CDPA is that it’s attempting to make
privacy laws more understandable and more easily leveraged by consumers.
The law highlights ways to opt out of consent and/or processing, as well as
how to contact the Attorney General, if it’s required. This may lend itself
to not only an increase in CDPA consumer requests, but also increases in
both GDPR and CPRA data subject access requests, since those privacy
notices could also be updated and simplified as well.
Answering the Big Questions
Zooming out, Virginia’s new privacy law indicates a continuing trend that
requires companies to know and be in control of their data. If a company
wants to be able to properly protect data and provide consumer rights, it’s
imperative that they know the five W’s and one H of data: Who, What, Why,
When, Where and How.
Here’s the breakdown:
- *Who: **Whose *data it is determines the controls a company is legally
obligated to apply to the data.
- *What: **What *the data entails will determine where the data should
be stored, whether it’s on a public or private network. That will also
determine whether the data should be encrypted or masked if it is sensitive
in nature.
- *Why:* Companies need to determine *why* they have the data they do.
Say for example, an email address. It can be used for many different
things; those reasons need to be clearly defined, and the data needs to be
organized so as to make this clear.
- *When: *It’s also important for companies to know *when* they received
data and to make decisions about how long they can legally store it. If
it’s financial data, maybe that time frame is seven to 10 years, depending
on the financial requirements. If it’s medical research, it could be
indefinitely. Companies should also keep track of when data was last
accessed and modified to better inform their storage decisions.
- *Where: *Deeply tied to the “who” and “what,” companies need to know
*where* data is stored and why. If data is stored by a third party,
companies must make sure to have contracts and requirements in place to
properly protect the data.
- *How: *The “why” and the “how” are also tightly coupled. *How*
companies are using data should relate back to a company’s privacy policies
or notices. Companies need to make sure they are using data as it’s
intended so they don’t break a customer’s trust.
In order to comply with CDPA, companies should incorporate data discovery,
data classification, data minimization, records of data processing
activities and data protection assessments as part of their everyday
processes and controls, if they haven’t already. Let’s take a look at each
of these functions and their importance:
- *Data discovery:* This is the most important function, because a
company doesn’t know what a company doesn’t know. If they don’t know what
data is where, the risk of the data being used improperly significantly
rises.
- *Data classification: *Furthermore, if companies aren’t aware of what
data they possess, they can’t leverage data classification to organize
their data by sensitivity, importance, etc.
- *Data minimization:* This process ensures certain data only lives
where it is supposed to (and not on several other systems). It also reduces
the risk of that data being stored in an improper place.
- *Records and processing:* This goes back to the five W’s and one H.
Companies need to be able to answer where data is, how it’s being used,
what systems it’s in, how are they protecting it and how long are they
going to keep it.
- *Data protection assessments:* These assessments are also paramount.
If a company makes a change to a process or procedure, they need to figure
out how it impacted the data involved. Assessments need to be done
frequently to ensure any changes made in a company’s environment won’t
jeopardize other pieces of the environment.
It’s clear that Virginia’s new privacy law will reignite a focus on data
privacy and security given its high visibility thus far, enabling companies
impacted to refocus their efforts and potentially expand funding for their
initiatives. It will also put the power in the hands of consumers, as they
will be better informed and more easily able to leverage their data rights.
The CDPA is further proof that data privacy doesn’t stop at California, or
Virginia, or any other state for that matter. As data privacy grows and
becomes more apparent, laws like the CDPA will help continue to highlight
the importance of data compliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/6d477c20/attachment.html>
More information about the BreachExchange
mailing list