Blog

Proposed Privacy Changes in the US - California & Virginia Perspective

We look at upcoming privacy changes in California and Virginia, what you need to know, and where Veriff could help.

AuthorNino Gabrielashvili, June 28th, 2021

On November 3, 2020, Californians passed a ballot initiative to enact the California Privacy Rights Act (CPRA) of 2020. The CPRA amends and expands the California Consumer Privacy Act, known as CCPA. The CPRA’s obligations imposed on businesses become operative on January 1, 2023, and enforcement can begin on July 1, 2023. With the exception of consumer access requests, which may cover personal information collected under a longer look-back period, the new provisions of the CPRA will apply to personal information collected on or after January 1, 2022. 

Virginia also signed the Consumer Data Protection Act (CDPA) on March 2, 2021, which is making Virginia the second state in the U.S. to pass a comprehensive data privacy law. This law will go into effect in 2023, on January 1. As expected, other states are also considering proposals, potentially creating a kind of privacy patchwork, as regulation standards and enforcement practices might vary from each other. 

Data Privacy in Virginia State

To highlight some of the important changes, under the new Act of Virginia, a controller - an entity that determines the purposes and means of processing personal data - needs to be transparent about their processing activities and make the following available to consumers in a privacy policy:

  • The categories of personal data collected by the controller; 
  • The purposes for which the categories of personal data are used and disclosed to third parties, if any;
  • A list of the rights that consumers may exercise, which include the right to access, correction, deletion, restriction of processing, objection to processing; 
  • How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request; 
  • The categories of personal data that the controller shares with third parties, if any; and 
  • The categories of third parties, if any, with whom the controller shares personal data. 

Consumers will get the right:

  • To opt out of having their personal data processed for targeted advertising, automated profiling;
  • To confirm if their data is being processed; 
  • The right of access;
  • The Right to Correct Inaccuracies;
  • The Right to Data Portability.

Enforcement of the Virginia CDPA falls solely to the attorney general. As for the future steps, the bill has been directed to the Joint Commission on Technology and Science to establish a work group to review the provisions of this act and issues related to its implementation. Findings of this working group will be reported by November 1, 2021. We are monitoring those updates and will revise our processes accordingly.

The California Privacy Rights Act 

Like the CCPA, the CPRA protects the privacy rights and interests of consumers, which it defines as all California residents. Broadly speaking, the CPRA expands the scope and applicability of the CCPA.  The CPRA slightly alters the scope of covered businesses. While the CPRA maintains the CCPA’s existing monetary threshold for application of annual gross revenue over $25 million dollars in the preceding calendar year, it changes some of the other thresholds.

The CPRA changes and expands consumers’ rights to control the collection, use, and disclosure of their personal information in a number of ways, including: Expanding the Right to Know and Modifying the Right to Delete.

The CPRA also creates new consumer rights:

  • The Right to Correct;
  • The Right to Opt-Out of Sharing Personal Information;
  • The Right to Restrict Sensitive Information Processing. 

CPRA establishes a new enforcement body, the California Privacy Protection Agency and requires additional rulemaking on a number of issues. The Agency will take over the responsibility from the Attorney and will start issuing regulations under CPRA. The CPRA sets a July 1, 2022 deadline for issuing final regulations.

How Veriff Could Help

As mentioned above, the Virginia Privacy Act and CPRA create new standards of data protection, including updates for data subject access requests (DSAR). To avoid non-compliance issues, companies need to recognize the importance of data subject rights and they need to be prepared to ensure secure execution of request rights. To exercise DSAR, there is a need for data subject identification. As these requests contain personal data, in order to avoid non-compliance,companies need to have safe methods for identification. This is where Veriff can play a pivotal role. To determine whether the identity of the person making the request is the same as the data subject rather than a third-party acting in malicious intent, Veriff helps companies conduct identity verification in a fast and secure way.

Nino Gabrielashvili

Assistant DPO/Legal Counsel

Nino Gabrielashvili is an Assistant DPO/Legal Counsel at Veriff with a MA in Information Technology Law. Having worked in the legal & compliance field since 2012, she has experience in labor law, administrative law, personal data protection, and regulatory compliance.

Stay up to date on Veriff news, product updates, and more