Management

What the Virginia CDPA Means for State and Local Governments

Virginia’s Consumer Data Protection Act (CDPA) serves as a benchmark for other governments to assess their data privacy practices and prepare for similar legislation.

Robert Meyers

Twitter

Robert Meyers is the compliance and privacy professional and channel program solutions architect at One Identity. He is a 30-year veteran of the identity and access systems and information security industry, with more than 10 years of that time focused on planning, supporting and managing privacy programs such as the Family Educational Rights and Privacy Act, HIPAA, the General Data Protection Regulation and the California Consumer Privacy Act.

On March 2, 2021, Virginia’s Consumer Data Protection Act (CDPA) was signed into law, making Virginia the second state to enact comprehensive privacy legislation, after California.

According to the law, it “establishes a framework for controlling and processing personal data in the Commonwealth” of Virginia. It aims to provide guidance for the organizations that process or gain revenue from consumer data.

The law specifically focuses on consumer data, but it lays the groundwork for future privacy acts and will impact most Virginians in some capacity. It’s an encouraging sign that governments are making efforts to protect their citizens’ data. Always remember that privacy legislation usually builds upon the groundwork of previous legislation to expand the depth and breadth of its reach.

The law lays out numerous important elements. One strong inclusion is clear consent. Just like the European Union’s General Data Protection Regulation (GDPR), Virginia’s CDPA requires organizations to gain permission from consumers to use their data. It must be clear to consumers what data they are providing, what it will be used for and how. Another strong show of protection is required privacy assessments.

Both cybersecurity and privacy enforcement activities should be documented and have audit trails. Data should have lifecycles managed, and hopefully, the attorney general will leverage standards such as the Center for Internet Security’s CIS Controls for effective cyber defense, similar to what California has done.

The passing of Virginia’s CDPA and of the California Privacy Rights Act (as well as California Consumer Privacy Act) illustrate growing interest in data protection, and there’s likely more to come. Just at the beginning of April, the Information Transparency and Personal Data Control Act was introduced in the U.S. House by Rep. Suzan DelBene. The conversation is reaching a peak as more citizens and consumers are working and interacting online than ever before.

What Governments Can Do to Strengthen Data Privacy Protections

State and local governments across the U.S. can use this law to assess their data privacy practices and implement measures and systems to prepare for similar legislation. Additionally, these kinds of early laws tend to lead the way for federal laws and mandates.

Governments as well as schools, hospitals and more share personally identifiable information with vendors, contractors and other companies regularly. This requires a clear understanding of what data is passed out, as well as where and how.

Government and these entities will also then be responsible to notify these companies that data privacy is a priority. These organizations should be reaching out to all of their vendors to ensure they are prepared for these changes.

Internally, state and local governments should strengthen their authentication and authorization practices. Just as important as passing legislation to protect citizen data, government should be sure that best practices are applied to citizen data within their organizations.

Governments should have an accurate database of accounts, especially privileged accounts, and regularly audit to ensure that old accounts are removed and the level of access given meets the minimum for government employees to do their work. By limiting privileged accounts and access levels, government organizations can significantly decrease the risk of bad actors accessing data and putting citizen information at risk.

Moving forward, many states may consider their own data privacy and protection acts. When drafting future acts, there are a few considerations they should keep in mind.

Future laws can be strengthened with a clear, strong definition of personal data to cut down potential loopholes and court cases. Representatives should also make their laws opt-in laws, meaning that all consumers would have initial protection and can then choose whether to share that data with individual businesses on a case-by-case basis. Finally, future laws should expand to cover financial institutions, businesses governed by the HIPAA, nonprofit organizations, higher education institutions and state and local governments.

Virginia’s CDPA is an important first step. State and local governments and other organizations not currently covered by privacy requirements should take steps now to ensure reliable data protection and privacy practices are in place and that their citizens’ data is properly handled.

da-kuk/Getty Images