Click here to learn more about John Noltensmeyer.

Virginia’s governor recently signed the Consumer Data Protection Act (CDPA), only the second comprehensive data privacy law in the United States after the California Consumer Privacy Act of 2018 (CCPA). The passage of this law means that businesses now have two new state-specific regulations to prepare for prior to January 1, 2023, including California’s Privacy Rights Act (CPRA).

Several other states are also planning possible privacy legislation, with multiple laws also under consideration at the federal level. As more states debate and pass privacy regulations, there is increasing likelihood we will see a national compliance standard.

Until then, it is a good idea for businesses to not delay preparations to conform with state-level regulations like Virginia’s new law. Executive leadership would be wise to assume they will be subject to the Virginia and California laws if they are not already, and take an approach where they can apply compliance uniformly. For example, utilizing technology like pseudonymization through tokenization, businesses can protect consumers’ sensitive data while also meeting the compliance obligations for current and future laws across multiple jurisdictions.

These experts also offer suggestions for how to get started with compliance efforts.

Bill O’Neill, VP of Public Sector, Centrify:

Compliance with Virginia’s newly-introduced privacy bill, the Consumer Data Protection Act (CDPA), may introduce complexities for many large businesses due to currently distributed workforces. Unfortunately, we are in a time where more information is online, and more dispersed than ever before, making everyone more vulnerable.

Using essential cyber measures that secure privileged accounts is imperative to prevent hackers from gaining access to privileged account data, as well as private messages, security information, and other personal details. But, unlike the revenue-based compliance hurdles in the California Consumer Privacy Act (CCPA) and the private right to action, Virginia’s CDPA appears to spare smaller businesses from complying with the privacy law, or being subject to costly litigation in the event of a breach. This can be a double-edged sword for consumers, especially if smaller businesses are not investing in technologies to secure access or identities, and don’t have IT administration teams to help secure customer data.

Still, this law could spark further dialogue toward a national standard that protects consumer privacy and gives individuals control over how their data is used. We advocate for organizations to adopt a least privilege approach to reduce unnecessary and potentially damaging lateral movement inside of networks, in addition to using solutions that enable secure remote access to data centers and cloud-based infrastructure. These solutions secure all administrative access with risk-aware, multi-factor authentication (MFA) and, as a best practice, maintain the level of compliance that can improve an organization’s security posture, minimize the risks of compromised credentials, and ensure data privacy for both the organization and its customers for the long term.

Josh Odom, CTO, Pathwire:

With Virginia’s new privacy law, the Consumer Data Protection Act (CDPA), being sent to the governor’s desk, it’s time we broke down the most prominent privacy regulations and how they play into the data-saturated world of email marketing.

The EU’s General Data Protection Regulation (GDPR) covers several lawful bases for data processing, and consent is one of them. As email marketers, we need to shift our understanding of consent from permanent to dynamic. This means that consent under GDPR is specific to the activity. We must ask ourselves: Do I have permission to send marketing messages to them? Are they expecting my emails?

Even a scammer would need my explicit consent to continue sending me spam. While this might frustrate email marketers, customers must also have the option to withdraw consent (objecting to use of information for direct marketing) if they decide they don’t want to hear from you anymore. But why would you want to talk to someone who isn’t interested in what you have to say anyway?

The CDPA echoes the importance of consent. Email marketers must be explicit about any information collected or processed from residents of the state of Virginia – and work with their sales teams to ensure that contact receives the same quality service at the same price as all prospects, regardless of their privacy decisions.

Whether you’re looking to optimize your GDPR, CCPA, or CDPA compliance, or just getting started in email marketing and want to ensure you’re on the right path, prioritizing steps into actionable pieces is the way to go. Confirming consent with existing contacts and protecting data with proper security measures can seem overwhelming, but when in doubt don’t hesitate to reach out for advice or to a lawyer that specializes in data protection.

At the end of the day, what matters is keeping your contacts informed at all times of what’s being done with their information. Having a trail of documentation that you can show to prove this will prepare you in case you’re audited for compliance purposes.

Samantha Humphries, Head of Security Strategy, EMEA, Exabeam:

With Virginia soon to join the ranks of California with a data privacy law and at least four other states considering similar legislation, organizations in the U.S. must begin to consider how they would comply with a privacy law in their own state. While the particular nuances of each law will vary, companies can start by aiming to be transparent about data monitoring. Businesses must ensure they are offering customers and staff information on what data is being collected, and the right to say no and opt out of data collection. Now would be a good time to update privacy policies and notes, check on the company consumers’ rights protocols and data gathering processes, as well as boosting the overall security posture of the organization from both a protection and a response perspective.

Even for organizations in states where there are not currently privacy laws being considered, it is a good idea to consider the following as guiding points for data protection:

• Who will have access to the data?
• What is the personal data being used for, and for how long should it be kept?
• Where is the data being stored?
• Is inaccurate or incomplete data being erased or corrected?
• How is the data being secured?

The key to preparing for data privacy legislation is transparency and education. By prioritizing the safeguarding of digital information, an organization can ensure they are meeting potential compliance standards and protecting their employees and customers. Ultimately, good practice in these areas instils consumer confidence and trust, and therefore should be part and parcel of doing business regardless of legislation.