Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) on Tuesday, March 2, 2021. Virginia now joins California as the second state to have a data privacy law. The law takes effect on January 1, 2023, so businesses have some time to get ready. In our previous article on the proposed legislation, we described the new consumer rights available, the lack of a private right of action, and detailed which businesses will have to comply with the new law. In addition to providing consumers with their rights regarding their data, the CDPA requires transparent processing of personal data through a privacy notice, which must include the following:
- The categories of personal data collected by the controller;
- The purposes for which the categories of personal data are used and disclosed to third parties, if any;
- The rights that consumers may exercise via the new law;
- The categories of personal data that the controller shares with third parties, if any; and
- The categories of third parties, if any, with whom the controller shares personal data.
In addition, if a controller sells personal data to data brokers or processes personal data for targeted advertising, controllers must disclose such processing to consumers and inform them about how a consumer may exercise the right to object to such processing, in a clear and conspicuous manner.
Finally, the new law requires controllers to conduct a risk assessment of each of their processing activities involving personal data and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers.