CDPA: Untangling personal, public, and sensitive data

The most recent and comprehensive data protection law in the United States protects personal information with the greatest care.

On March 8, the Consumer Data Protection Act (CDPA) will become official in Virginia. Result: By 2023, many people and businesses who come into contact with Virginia’s personal information will have to do things differently or risk the price (up to $ 7,500 per breach, plus fees and legal fees).

CDPA releases nonprofits, post-secondary schools in Virginia, government agencies and local government agencies in Virginia, and companies/entities subject to HIPAA or CAP (to avoid a federal prevention issue). Otherwise, the CDPA applies to all businesses and entities operating in Virginia:

1.1 collects or processes 100,000 personal data for Virginia consumers in a calendar year (regardless of income); OR

Track or process the personal information of more than 25,000 Virginia consumers in a year and earn more than 50% of gross revenue from personal information.

All this requires an answer to a final question: what makes data “personal”?

The CDPA defines personal information as “any information that relates to or reasonably relates to an identified or identifiable natural person”. (There are some exceptions; more on that later).

The CDPA discloses information already covered by certain federal laws (including HIPAA, FCRA, FERPA, Driver’s Privacy Protection Act, and Agricultural Credit Act), “emergency contact information,” and employers who are employees and regularly review contractor information. Maintenance. Otherwise, the CDPA “personal information” domain for Virginia consumers is intentionally very broad. Generally, if a company meets CDPA requirements, CDPA customers in Virginia can choose not to allow the company to process their personal information.

But what about the really personal stuff?

Confidential data according to CDPA: large and uncertain

While the CDPA does not normally endorse people’s privacy laws, collecting certain information is an option. CDPA specifically classifies personal information as “confidential information”; Companies covered by the CDPA may only process confidential data at the consumer’s discretion.

The CDPA defines “confidential information” as “any category of personal information containing such information” (the exact language below):

1. Personal information about race or ethnic origin, religion, diagnosis of mental or physical health, sexual orientation or citizenship, or immigration;

2. processing of genetic or biometric data to uniquely identify a natural person;

3. Personal information collected from a known child; or

4. Accurate geolocation data.

“Confidential data” can be even broader when it comes to the clever use of the word “include” for this list; it appears that the Virginia Attorney General may consider other categories of confidential information that Virginia lawmakers have not considered. This means that there is still a lot of uncertainty about the regulations.

Another critical word drastically limits confidential information: “personal.”

Public data is not personal data

As broad as the CDPA’s definition of “personal information” is, there are limitations. The CDPA’s definition of “personal information” specifically excludes (1) unidentified information and (2) “publicly available information”.

The first exclusion is probably obvious (if denied, it may not be related or related to an identified or identifiable person). However, this latter exclusion is important; if it is public, it is not personal – and if it is not personal, it is not sensitive.

This is one of the main limitations of the scope of the CDPA (read: ‘loophole’). It is compiled when looking at how the CDPA specifically defines “publicly available information” even more broadly than would otherwise be interpreted.

Of course, this definition contains specific data that is ‘legally made available by federal, state or local government documents.’ If the information does not fall into this subcategory, it will still be ‘publicly available’ if the company only “has a reasonable basis to believe [that the information] has been legally made available to the public by the media”. reproduction. , by the consumer or by a person to whom the consumer provided the information unless the consumer restricts the information to a specific target group.

That is, if a consumer in Virginia publishes an unrestricted public post that contains confidential information about an important social application (or, in this case, as someone else to whom the Virginia resident has legally disclosed the information through known information), it appears that many are part of this huge chasm of controllers and processors. In fact, information under CDPA may not be “confidential” because it does not meet CDPA’s “private” requirements for public availability. (Forecast: Increase in sales of software that removes available information from social media profiles and news sites.) The same goes for non-anonymous information on many public news sources, in most public government documents, or in other media or forums. public.

Other laws and regulations may overlap in this area, depending on the circumstances (and those other laws and regulations are outside the scope of this section), but if a controller can reasonably indicate that the “public” nature of the information is evolving, it appears that the CDPA does not require any obligation to disclose, correct or delete this information.

In addition, the CDPA contains at least one “Do No More”, complete with an honorable unconstitutional clause stipulating that the CDPA cannot be considered a violation of First Amendment protection.

Translate »