NEW: 2024 Gartner Market Guide for Consent and Preference Management
Access now
Back to main menu

Compliance

CDPA

CDPA (Virginia Consumer Data Protection Act) will dramatically improve the lives of Virginia citizens, it’ll give them stronger data rights and more protection.

Cassie will be able to help you achieve compliance without you having to compromise your business goals.

Talk to us Book a demo
CDPA Compliance

What is CDPA?

The VCDPA’s primary objective is to protect individuals’ privacy as well as inform them whether their data is being processed.

Borrowing heavily from General Data Protection Regulation (GDPR), CDPA’s main objective is to ensure that businesses obtain affirmative consent before collecting or processing sensitive personal data.

The Attorney General of Virginia define personal data as meaning “any information that is linked or reasonably linkable to a Virginia resident. It does not include publicly available information such as government-held public records”. Protected health data under the HIPAA as well as a number of other pieces of data are exempt from the CDPA.

Consumers have the right to submit a request to controllers to ask how data is being used, to delete data and opt-out, as well as requesting copies of the personal information that is being collected by an organization. Businesses must respond to these requests within 45 days of the request being made or face fines of up to $7500 per violation.

compliance cdpa

Will your business need CDPA compliance?

CDPA will apply to any entity that conducts business in the state of Virginia or who offers products and or services to its residents. Your compliance

The Consumer Data Protection Act applies to (with exceptions) any business doing business in Virginia. This includes targeting Virginia residents that (annually):

  • Controls or processes the personal data of at least 100,000 consumers
  • Controls or processes the personal data of at least 25,000 consumers and derives at least 50% of its gross revenues from selling personal data
Data myths and misconceptions report download

Download our ‘data myths and misconceptions’ research report

Discover:

  • The most popular data protection measures and if consumers find them effective
  • How aware consumers are of the level of information that companies can collect about them
  • If consumers keep up to date with data privacy legislation
  • How companies can build customer trust by respecting data
Download now

Choose Cassie for:

High Volume Icon

High volume, fast response querying

Cassie can process up to 50,000 transactions per second, which means however large your operation is you’ve got peace of mind. Our largest client has 400,000 data subjects.

Icon Customer Insight

Deeper customer insight

Cassie’s Customer service portal will let you capture up to 13 fields. You’ll be able to learn more about your customers in order to create personalized customer journeys.

Icon Dedicated Experts

Pass audit inspections

Be prepared for compliance audits with demonstrable tracking and complete history logs, alongside advanced RoPA and DSAR modules to improve efficiencies and assess risk

Icon Unlimited Storage

Ensure data security

Cassie is SOC 2 certified, assuring organization’s data is safeguarded from unauthorized access or breaches with industry-leading encryption protocols and practices

Icon Audibility

Centralized source of truth

Use Cassie to honor and enforce consent data via APIs and integrations at high volume, in real-time for CDPA compliance across your tech stack (CRMs, marketing automation tools, BI tools)

Icon Connector Red

Complex consent made simple

For every consent captured, Cassie can store unlimited key value pairs of additional information against those consents to unlock scalable, granular consent management

FAQs for CDPA

  • What are the CDPA’s Consumer Rights?
    • The CDPA requires controllers to facilitate certain consumer rights, enabling Virginians to exercise greater control over their personal data. The CDPA’s six consumer rights are:
      • Right of access: You must provide a copy of any personal data you hold about a consumer on request.
      • Right to correct: You must correct any inaccurate personal data you hold about a consumer on request.
      • Right to delete: You must delete a consumer’s personal data on request.
      • Right to data portability: On request, you must provide the consumer with a copy of their personal data in a portable and readily useable format.
      • Right to opt out: You must allow consumers to opt out of:
        • Targeted advertising—this means implementing a compliant consent-management tool
        • The sale of their personal data
        • Being subject to profiling, to the extent that it advances decisions that product “legal or similarly significant effects”
      • The right to appeal: You must allow consumers to appeal any decision to refuse a consumer rights request.
  • What are the CDPA’s Limits on collection and use?
    • The CDPA imposes two principles on controllers:
      • Limits on collection: You must only collect personal data that is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.”
      • Limits on use: You must not unnecessarily process personal data for any purposes other than those that are compatible with the context in which you collected the personal data—unless you obtain the consumer’s consent.
  • Do I need to conduct a Data Protection Assessment under CDPA?
    • Under the CDPA, controllers must conduct a data protection assessment to identify and weigh the benefits and risks of certain processing activities, including:
      • Targeted advertising
      • Selling personal data
      • Profiling to advance decisions producing legal or similarly significant effects (such as credit applications).
  • Do I need to maintain a privacy policy under CDPA?
    • The CDPA requires each controller to maintain a privacy policy detailing:
      • The categories of personal data you process
      • Your purposes for processing each category of personal data
      • How consumers may exercise their rights
      • Any categories of personal data you share with third parties
      • Any categories of third parties with whom you share personal data.
  • What is the enforcement for non-compliance with CDPA?
    • The Virginia Attorney-General will offer controllers 30 days to correct any alleged infringements of the CDPA. If the violation is not corrected within 30 days, the Attorney-General may impose a fine of up to $7,500 per violation.