NT Analyzer Navigates Virginia’s New Privacy Law

Virginia recently enacted its own data protection/privacy law and like its European and Californian predecessors, the technical piece is key.

Requirements

Like the GDPR and CCPA, the Consumer Data Protection Act (“CDPA”), which goes into effect on January 1, 2023, broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The law also requires controllers to conduct a data protection assessment and implement technical data security practices.

In additional to traditional personal data, CDPA’s “personal data” can include – at a technical level:

  • Device identifiers
  • Advertising identifiers
  • Cookies
  • Geolocation
  • Telcom-related IDs (e.g, SIM card serial number)
  • IP address
  • In-range WiFi BSSIDs (i.e., hardware addresses for in-range local networks and connected devices)
  • In-range WiFi SSIDs (i.e., network names for in-range local networks)
  • Social network IDs (e.g., Facebook’s ‘c_user’ value).

Since the vast majority of this data comes from a consumer’s device, and not an organization’s own data centers, organizations are largely blind to the collection and sharing of this personal data (despite being legally responsible for the data).

NT Analyzer’s CDPA Solution

Like our existing CCPA solution, our CDPA solution enables organizations to determine the full scope of data sharing and collection associated with their apps, websites, and IoT. The new module aligns with the CDPA’s law requirements and nuances.

For example, it categorizes parties and personal data through the lens of the CDPA, allowing organizations to determine if: (1) the data collected qualifies as “personal data” (including “sensitive data”) under the law (both traditional and technical data); (2) the receiving party qualifies as a “third party” or “processor”;  and/or if the “personal data” shared qualifies as ‘targeting advertising” and/or a “sale” under the law.

Importantly, since the CDPA requires controllers to conduct a data protection assessment and implement technical security practices, the module also informs organizations if certain privacy policy disclosures need to be made, if agreements need to be put in place, and/or if the data in-transit is adequately protected (e.g., encrypted).

Legal compliance requires a technical solution and as laws like the CDPA continue to come to light, it is important organizations have a technical solution in their tool belts to ensure proper compliance. This will help them keep their consumers’ trust,  as well as avoid PR and legal exposure.

For more information on the general legal backdrop of the CDPA, please read the Data Protection Report’s article.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the New York office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig