From the West Coast to the East Coast—after California’s CCPA, Virginia became the second state to pass comprehensive data privacy legislation in the United States. The CDPA, Consumer Data Protection Act, comes into effect on January 1st, 2023, but the time to comply is now.
The CDPA borrows a lot from the European GDPR and California’s CCPA and the update to the CCPA, CPRA. Having experience with customers that must comply with both regulations and being subject to the GDPR ourselves, we’d like to share with you why automating data lineage in the preparation phase is crucial for CDPA compliance.
Does the CDPA Apply to My Business?
Two main thresholds impose CDPA obligations on businesses. Businesses are subject to the CDPA if they:
- Conduct business in Virginia or produce products or services that target Virginia residents, and
- Control or process the personal data of at least 100,000 consumers during a calendar year; or control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.
What Data Is Included?
Similar to the GDPR and CCPA, the CDPA defines personal data as any information that is linked or can be linked to an identifiable person. Information that is publicly available in federal, state, or local government records is not defined as personal data under the CDPA.
On top of personal data, certain types of data fall under the sensitive data category that is subject to additional, stricter requirements and restrictions. Sensitive data includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, and citizenship or immigration status
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
- The personal data collected from a known child, and
- The precise geolocation of an individual (Va. Code Ann. § 59.1-571).
There are several exemptions from the CDPA, like financial institutions subject to the GLBA (the Gramm-Leach-Bliley Act) or businesses subject to HIPAA (the Health Insurance Portability and Accountability Act).
Businesses’ Obligations Under the CDPA
If your business is subject to the new regulation, you are required to:
- Adopt data minimization practices
- Disclose your privacy practices through a “meaningful privacy notice”
- Implement data security measures
- Refrain from discriminating against consumers who exercise their rights under the CDPA, and
- Obtain consent prior to processing sensitive data, as defined below (Va. Code Ann. § 59.1-574).
Covered businesses are required to conduct risk assessments on their data protection practices. These risk assessments must be taken when the covered business activities involve:
- The processing of personal data for purposes of targeted advertising
- The sale of personal data
- The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk
- The processing of sensitive data, and
- Any processing activities involving personal data that present a heightened risk of harm to consumers (Va. Code Ann. § 59.1-576).
GDPR and CCPA—Lessons Learned
If you are familiar with European and California data privacy laws, you will see numerous similarities, not only in terms of defining what personal data is, obtaining consent to process sensitive data, and applying the law to businesses that target Virginians but are not necessarily located in the state. Just like under the GDPR, under the CDPA, consumers will have the following rights with respect to their personal data.
- The right to know what personal data a business holds and for what purposes
- The right to access their processed data
- The right to correct inaccuracies and also to delete their personal data
- The right to obtain a copy of their processed data in a readily-usable format, and
- The right to opt-out of targeted advertising, profiling, and the sale of their personal information.
What if your business fails to meet the CDPA obligations? Non-compliance has a hefty price of $7,500 per violation.
Automate Data Governance to Be Prepared
It might seem that there’s still plenty of time before the regulation comes into effect (January 1st, 2023), but the truth is that the time to comply is now. The key to being and staying compliant is to automate data lineage collection in the preparation phase. Mapping the whole environment in advance will give you an overview of all the data your company is storing and processing. Doing it automatically will guarantee that the results are correct, complete, up to date, accurate, and include all data sources, no matter how large your data environment is and how scattered your data assets might be. Completeness and accuracy are crucial for identifying all data that is defined as either personal or sensitive data. With such an overview and generated map of the whole environment, you can take the next steps to get you closer to full compliance.
With the full transparency that end-to-end lineage gives you, you will find it easier to implement data security measures required by the CDPA. Knowing exactly what data your organization is processing, how this data entered your systems, and how it’s connected with other data assets will allow you to establish or enhance current data security practices and prevent data breaches.
Why should you automate data lineage in the initial phases of a data governance initiative? Read the article by Nicola Askham, the Data Governance Coach.
So, you have harvested data lineage across all systems, you know where the data originates, you have identified personal and sensitive data, and you are CDPA-ready, so you think your journey with automated lineage can end here. Not exactly. Automating data governance well in advance will, indeed, give you time to map the environment and prepare for January 2023 without rushing into it. Still, without regular monitoring and reporting afterward, all your efforts will be wasted.
How can data lineage help once the CDPA comes into effect? It will help you make sure that you are fulfilling your obligations towards consumers. All the rights that they have under the CDPA (the rights to know, access, correct inaccuracies, delete, port, and opt-out) can be granted only after you’ve located the consumer’s data. Doing it manually carries a high risk of missing a record that might have gotten lost in your database’s meanders or could have been overlooked once it changed its format during an ETL process. Automating all these efforts not only ensures accuracy and eliminates the risk of human error but also ensures that you can respond to customer requests in the timely manner that the CDPA imposes.
Working with customers from all over the world who are subject to various international, federal, and state privacy laws has taught us that the sooner you automate lineage collection, the better. Having a complete overview of what data you process, what its sources are, how the data transforms, where it resides, and how it’s connected will help you align your data governance practices with your business needs, regulatory requirements, and consumer needs without harming any of them. Do you want to know more about data lineage for data governance? Read more here.