Virtualization Technology News and Information
Are You Prepared for the Virginia Consumer Data Privacy Act (CPDA)?

data privacy cpda 

The governor of Virginia has officially passed the Virginia Consumer Data Privacy Act (CDPA) - making Virginia join the ranks of California to become the second state with a comprehensive data privacy law. The CDPA comes into effect on January 1, 2023-the same date that the California Privacy Rights Act (CPRA) amendments take effect-and will require entities subject to the law to coordinate their efforts to ensure compliance with their growing obligations under these dynamic privacy law developments. 

The law will not go into effect until Jan.1, 2023, but it is never too early for organizations to prepare. Below, leading technology experts have weighed in on how businesses can prepare for the law and shared best data privacy practices. 


John Noltensmeyer, CTO of TokenEx

"The passage of Virginia's new privacy law means that businesses will now have two new state-specific regulations to prepare for prior to January 1, 2023, including California's CPRA. Therefore, it's critical to use this window of time to review efforts regarding current CCPA requirements, while also looking to ensure the organization is compliant with the upcoming changes. While it can seem overwhelming and complex, one of the logical places to start is to secure the personal data an organization holds. By utilizing technology like pseudonymization through tokenization, businesses can protect consumers' sensitive data while also meeting the compliance obligations for current and future laws across multiple jurisdictions."


Bill O'Neill, VP of Public Sector, Centrify

"Compliance with Virginia's newly-introduced privacy bill, the Consumer Data Protection Act (CDPA), may introduce complexities for many large businesses due to currently distributed workforces. Unfortunately, we are in a time where more information is online, and more dispersed than ever before, making everyone more vulnerable. 

Using essential cyber measures that secure privileged accounts is imperative to prevent hackers from gaining access to privileged account data, as well as private messages, security information, and other personal details. But, unlike the revenue-based compliance hurdles in the California Consumer Privacy Act (CCPA) and the private right to action, Virginia's CDPA appears to spare smaller businesses from complying with the privacy law, or being subject to costly litigation in the event of a breach. This can be a double-edged sword for consumers, especially if smaller businesses are not investing in technologies to secure access or identities, and don't have IT administration teams to help secure customer data. 

Still, this law could spark further dialogue toward a national standard that protects consumer privacy and gives individuals control over how their data is used. We advocate for organizations to adopt a least privilege approach to reduce unnecessary and potentially damaging lateral movement inside of networks, in addition to using solutions that enable secure remote access to data centers and cloud-based infrastructure. These solutions secure all administrative access with risk-aware, multi-factor authentication (MFA) and, as a best practice, maintain the level of compliance that can improve an organization's security posture, minimize the risks of compromised credentials, and ensure data privacy for both the organization and its customers for the long term."


Josh Odom, CTO, Pathwire

"With Virginia's new privacy law, the Consumer Data Protection Act (CDPA) being sent to the governor's desk, it's time we broke down the most prominent privacy regulations and how they play into the data-saturated world of email marketing. 

The EU's General Data Protection Regulation (GDPR) covers several lawful bases for data processing, and consent is one of them. As email marketers, we need to shift our understanding of consent from permanent to dynamic. This means that consent under GDPR is specific to the activity. We must ask ourselves: do I have permission to send marketing messages to them? Are they expecting my emails? 

Even a scammer would need my explicit consent to continue sending me spam. While this might frustrate email marketers, customers must also have the option to withdraw consent (objecting to use of information for direct marketing) if they decide they don't want to hear from you anymore. But why would you want to talk to someone who isn't interested in what you have to say anyway?

The CDPA echoes the importance of consent. Email marketers must be explicit about any information collected or processed from residents of the state of Virginia -- and work with their sales teams to ensure that contact receives the same quality service at the same price as all prospects, regardless of their privacy decisions.

Whether you're looking to optimize your GDPR, CCPA or CDPA compliance, or just getting started in email marketing and want to ensure you're on the right path, prioritizing steps into actionable pieces is the way to go. Confirming consent with existing contacts and protecting data with proper security measures can seem overwhelming, but when in doubt don't hesitate to reach out for advice or to a lawyer that specializes in data protection.

At the end of the day, what matters is keeping your contacts informed at all times of what's being done with their information. Having a trail of documentation that you can show to prove this will prepare you in case you're audited for compliance purposes."


Samantha Humphries, Head of Security Strategy, EMEA, Exabeam

"With Virginia soon to join the ranks of California with a data privacy law and at least four other states considering similar legislation, organizations in the U.S. must begin to consider how they would comply with a privacy law in their own state. While the particular nuances of each law will vary, companies can start by aiming to be transparent about data monitoring. Businesses must ensure they are offering customers and staff information on what data is being collected, and the right to say no and opt out of data collection. Now would be a good time to update privacy policies and notes, check on the company consumers' rights protocols and data gathering processes, as well as boosting the overall security posture of the organization from both a protection and a response perspective.

Even for organizations in states where there are not currently privacy laws being considered, it is a good idea to consider the following as guiding points for data protection:

  • Who will have access to the data?
  • What is the personal data being used for, and for how long should it be kept?
  • Where is the data being stored?
  • Is inaccurate or incomplete data being erased or corrected?
  • How is the data being secured?

The key to preparing for data privacy legislation is transparency and education. By prioritizing the safeguarding of digital information, an organization can ensure they are meeting potential compliance standards and protecting their employees and customers. Ultimately, good practice in these areas instils consumer confidence and trust, and therefore should be part and parcel of doing business regardless of legislation." 


Adam Strange, Data Classification Specialist at HelpSystems

"I was pleased to see news breaking recently that Virginia Governor Ralph Northam had signed the Consumer Data Protection Act into law, forcing companies to give consumers the right to opt out of data collection. With states such as California, Vermont and Ohio all having data protection legislation and Alabama having its Data Breach Notification Act it's good to see laws like these becoming more commonplace in America.

As a result, now is the right time for organisations to review their data governance and protection requirements. They would be well advised that employing data classification is the best practice standard in the first steps to achieving a holistic data-centric security strategy and to ensure compliance with these incoming legislations. 

Data protection is the "one constant" that must be maintained across all environments. Organisations hold and are responsible for safeguarding vast amounts of data and this data must be appropriately protected, irrespective of its type or location. To do this effectively and remain within the boundaries of regulatory compliance, organisations must have the ability to accurately identify, classify and protect data. An integrated combination of process and user-centric, people-based capabilities are required, alongside technology, to deliver relevant data protection strategies for each business and its users.

As we see more data protection legislation come into effect, the necessity to keep businesses and data safe while facilitating access and usability for all user groups will become infinitely more challenging.  The use of effective data classification tools will become paramount as organisations seek to comply with these new standards."


Robert Prigge, CEO of Jumio

"Virginia’s new Consumer Data Protection Act validates data privacy is becoming a top priority as consumers demand more control over their personal data. States are likely to follow Virginia and California in initiating legislation to expand consumers’ rights to prevent companies from being able to collect and share personal data without prior consent or knowledge.

To facilitate secure rights requests, however, businesses cannot trust that the person making the request is who they say they are. And as enterprises increasingly shift to digital amid the COVID-19 pandemic, fraud has also increased as cybercriminals are increasingly taking advantage of online-only operations. Since the data requested in rights requests is rich with Personally Identifiable Information (PII), it holds a significant commercial value to cybercriminals. Armed with this information, they can then perpetrate identity theft and even take over the online accounts of legitimate consumers.  

To safely comply with verifiable consumer requests, organizations must have a high level of assurance that the person making the request is in fact the actual account owner. Since releasing PII to the wrong consumer can have devastating repercussions, businesses need to ensure they have reliable ways to authenticate the digital identities of new users. With expanded consumer data rights come expanded enterprise responsibilities, and organizations must retain consumer trust to protect both their business and their consumers."


Published Friday, March 05, 2021 7:35 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2021>