Kristen Mathews spoke to IAPP about the passage of Virginia’s Consumer Data Protection Act (CDPA).
According to Kristen, the glaring differences between the CDPA and existing privacy legislation start with the definition of “personal data,” which only relates to information identifiable to a natural person. Other provisions unique to Virginia’s law are the definition of and conditions for “deidentification” and a lack of exceptions on a data subject’s right to delete.
She added that another difference in the Virginia legislation is a data protection assessment, which will be new to some companies, while others will be familiar to a degree if they fall under the GDPR’s [General Data Protection Regulation] scope.
“They’re like the GDPR data protection impact assessments,” Kristen said. “Not everybody has to do them. You’re only having to do them with certain kinds of processing, but if you do them, they’ll be internal, potentially questionnaire-based assessments of what you’re doing against any risks that may be posed to consumers.”
Read the full article.