Consumer Rights Under CDPA

Virginia became the second state in the US to enact comprehensive privacy legislation. The Consumer Data Protection Act is a new privacy law that draws heavily from the popular CCPA & GDPR privacy laws.  It is a regulation that governs the way businesses use and sell the personal data of consumers of Virginia for business benefits.

The regulation applies across the board to any business, whether large or small, for-profit, that collects or processes personal data. Similar to the CCPA Regulation it also provides consumers several rights pertinent to the use and processing of their personal data.

Elaborating more on these rights we have in the article explained the rights outlined in Virginia Consumer Data Protection Act. We have also covered details on how businesses are expected to expect to exercise consumer rights under CDPA. But before that let us first learn about the 6 consumer rights that are broadly classified below. 

Consumer Rights under Virginia Consumer Data Protection Act

In what has today become another global privacy regulation, the new Consumer Data Protection Act enumerates 7 privacy rights for the consumers of Virginia. With this, the Virginia consumers will now have certain rights concerning their personal information just like those outlined in the GDPR and CCPA Regulation. These rights are broadly classified as given below- 

Right to Access- Consumers have the right to access personal data and even obtain a copy of that data from the controller in a readily usable format.  

Right to Know- Consumers have the right to know whether or not a business is processing their personal information. They have the right to know the nature of information processed and also the processors with whom their data is shared. 

Right to Rectification- Consumers have the right to correct inaccuracies in their personal data. However, this can be exercised considering the nature of the personal data and the purposes of processing the consumer’s personal data. 

Right to Deletion- Consumers have the right to request for deletion of their personal data obtained by the business. 

Right to Object to Data Processing- Consumers have the right to opt-out of the processing of their personal data which may be for targeted advertising or sales of personal data. The CDPA fails to provide any exceptions to these rights. So, businesses that receive a request, must comply with it irrespective of the hardships or impracticable nature of the request.

Right to Data Portability- Consumers have the right to obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without any hassle, where the processing is carried out by automated means.

Right to Appeal- The CDPA provides consumers the right to appeal a business’s denial to act within a reasonable time. Under the law, a business must respond to a consumer request within 45 days of receipt of the request. Where reasonably necessary, the business may then extend the response deadline by an additional 45 days as long as they notify the consumer within the initial response window.

If a business fails to do so the CDPA mandates that a “controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable time after the consumer’s receipt of the decision.” If the appeal is denied, the controller needs to inform the consumer how they can submit a complaint to the attorney general. 

How are businesses required to exercise consumer rights under CDPA? 

Businesses must develop processes to allow consumers to exercise their rights as outlined and mentioned above. The provisions are similar and close replicate the California requirements. So organizations that are already compliant with the CCPA Compliance will find it easy to implement the requirements outlined in the CDPA.

  • 45 Days to Respond– Businesses are required to respond to requests by consumers to exercise their rights without “undue delay” and in all cases within 45 days of receipt. However, they may have to grant an additional 45-day extension if reasonably necessary for the business to comply. But businesses are required to notify consumers about the additional extension and respond to the consumer during the first 45-day and provide a reason for the delay.
  • Two Free Inquiries Annually- Consumer can exercise their rights and request two free inquiries annually. However, beyond that, the business may charge a reasonable fee to cover administrative costs if requests are excessive, or repetitive.
  • Ability to Decline to Respond- In situations, such as if the business cannot authenticate the consumer’s identity, or if the data requested is not of a nature that is subject to the statute (like employment data), the business may decline to take the action requested by the consumer. However, businesses must provide reasons for declining and instructions on how consumers can appeal that decision, all within 45 days of receipt of the initial request from the consumer. Any appeal must be decided within 60 days of receipt and a written explanation must be provided to the consumer, together with a method (online or otherwise) for the consumer to contact the Attorney General to submit a complaint.
  • Contractual Control –The CDPA clearly states that controllers are responsible for their vendors or third-party processors with whom they share personal data. The Act requires controllers to create a Data Processing Agreement which is a contract between the controller and processor, that address:
  • The type of Personal Data to be shared
  • Instructions detailing the processing to be done by the processor of the personal data.
  • Specify the duration of the processing.
  • A duty to maintain the confidentiality of the personal data by both parties
  • An obligation that the processor must delete or return the data to the controller at the end of the services or in case the service is terminated.
  • Right of the controller to assess the processor’s and its technical and organizational measures concerning with their compliance with the CDPA privacy law.
  • Right to effectively audit/diligence provision and receive a report on same requiring the processor to flow down these obligations to their subcontractors.

Final thought 

With the Virginia Consumer Data Protection Act soon to be effective, businesses can no longer contract for services involving personal data handle the process with a simple purchase order. Businesses subject to the Privacy Act will need to have proper policy procedures and measures in place along with a standard contract between the controller and the processor on how to process or handle any personal data.

For those organizations looking for professional assistance in preparing for the upcoming Virginia Consumer Data Protection Act can get in touch with us at VISTA InfoSec. We are an experienced cybersecurity consulting firm having nearly two decades of industry experience in the Data Privacy Standards, Regulation, Compliance, and Governance. 

 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.