Stay Ahead of the Game: Best Practices for the Virginia CDPA Data Protection Assessment

Stay Ahead of the Game: Best Practices for the Virginia CDPA Data Protection Assessment
Estimated Reading Time: 5 minutes

It’s not news that the Virginia CDPA went into effect January 1, 2023. With all eyes on the  California CPRA, Colorado’s CPA, and Connecticut’s CTDPA going into effect July 1, 2023, it’s easy to forget a rather unique requirement of the Virginia CDPA—the Data Protection Assessment.

Virginia’s CDPA is designed to afford residents certain data privacy rights—most notably for marketers—the right to opt-out of targeted advertising. By now, organizations should be offering an opt-out mechanism for Virginia users, as well as updating privacy policies and disclosures on digital properties. If you have not, it’s time to get to work with several other laws going into effect in July which have similar requirements!

One unique component of the Virginia CDPA is the requirement for organizations to conduct and document a Data Protection Assessment for processing activities involving personal data. 

Personal Data is defined in the CDPA as:

“Personal data means any information that is linked or reasonably associated to an identified or identifiable natural person.”

Processing activities in scope for the assessment per the regulation includes:

  1. The processing of personal data for purposes of targeted advertising;
  2. The sale of personal data;
  3. The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;
  4. The processing of sensitive data; and
  5. Any processing activities involving personal data that present a heightened risk of harm to consumers. A single data protection assessment may address a comparable set of processing operations that include similar activities.

Such data protection assessments shall take into account the extent to which the personal data is sensitive data and the context in which the personal data is to be processed.

Data protection assessments conducted pursuant to subsection A shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.

The Attorney General of Virginia will request your organization’s Data Protection Assessment relevant to an investigation. 

The Data Protection Assessment of the Virginia regulation is somewhat burdensome for organizations. I wonder how many have gone through the process of completing the assessment, and have it on hand for the Virginia AG upon request. Fortunately, Virginia only requires the assessment to be performed on data collection activities post-January 1, 2023. 

How can Tag Inspector help your organization meet the requirement and what should you do?

The best way from keeping Virginia’s Attorney General’s eyeballs off your organization’s digital properties is to follow the CDPA guidelines per users’ rights. Be sure your disclosures are in place and that you are affording users the right to opt-out of targeted advertising by some mechanism (a consent management platform is strongly recommended if you are engaging in these activities).

Given that there are three state laws going into effect July 1, this is good timing to perform an audit on your tech stack, and use the data to inform the Virginia Data Protection Assessment, as well as meeting the requirements for the CPRA, CPA, and CTDPA going into effect July 1, 2023.

The team here at Tag Inspector can help you surface all of the data collection your website is engaging in. An audit will help you determine and document which platforms fall into these regulations for opt-out rights and give your legal teams the necessary data to inform your privacy policies, consent management experience, and the Virginia Data Protection Assessment. 

Reach out to to explore a Data Governance Audit with the team at Tag Inspector. We are looking forward to supporting you in your compliance journey!

Ready to start your compliance journey?

Our team is here to help whenever you need us!
Originally Published On June 14, 2023
June 14, 2023