Secure CDPA compliance using Cassie
CDPA Compliance and Cassie
Our Consent and Preference solution Cassie allows organisations to become compliant under Virginia’s Consumer Privacy Law: The Consumer Data Protection Act (CDPA). Cassie is industry and device agnostic and is tailored to adapt as the law changes and across multiple regions and languages.
Our solution will provide you with a singular source of truth through a central secure platform to manage personal data, legal basis, consent, and marketing preferences. As Cassie is API first it is flexible, secure, and scalable, providing an essential bridging system between the multiple information pots held within modern organisations.
What is The CDPA?
The Virginia Consumer Data Protection Act (CDPA), is the latest privacy law that is set to take effect on 1 January 2023 and will impact many businesses operating in Virginia as well as globally, imposing new consumer rights, rules on targeted advertising, and a requirement to conduct data protection assessments.
The CDPA applies to “controllers” which means any entity that either:
● Conducts business in Virginia, or
● Produces products or services that target Virginia residents.
A controller also has to meet one of the following thresholds to be covered by the CDPA:
● It controls or processes the personal data of at least 100,000 Virginia consumers annually and/or
● It controls or processes the personal data of at least 25,000 Virginia consumers and derives at least 50% of its gross revenue from selling personal data.
Unlike California’s Consumer Privacy Act (CCPA), regardless of their businesses turnover the CDPA applies to ANY business worldwide that processes personal information of Virginia residents.
If there are violations to the CDPA The Virginia Attorney-General will offer controllers 30 days to correct any alleged infringements. If the violation is not corrected within 30 days, the Attorney-General may impose a fine of up to $7,500 per violation. Additionally, an offending organisation could be forced to pay for “reasonable expenses incurred in investigating and preparing the case, including attorney fees.”
The CDPA’s Consumer Rights
● Right of access: You must provide a copy of any personal data you hold about a consumer on request.
● Right to correct: You must correct any inaccurate personal data you hold about a consumer on request.
● Right to delete: You must delete a consumer’s personal data on request.
● Right to data portability: On request, you must provide the consumer with a copy of their personal data in a portable and readily useable format.
● Right to opt out: You must allow consumers to opt out of:
○ Targeted advertising—this means implementing a compliant consent-management tool
○ The sale of their personal data
○ Being subject to profiling, to the extent that it advances decisions that produce “legal or similarly significant effects”
● The right to appeal: You must allow consumers to appeal any decision to refuse a consumer rights request.
Cassie is a single platform that allows you to collect and consolidate user contact, consent and preference data so your organisation can be compliant and transparent under regulations such as GDPR and CCPA. The platform currently manages over 1.6 billion preferences, for over 100 million contacts globally.
The CDPA’s Limits on Collection and Use
The CDPA imposes two principles on controllers:
● Limits on collection: You must only collect personal data that is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.”
● Limits on use: You must not unnecessarily process personal data for any purposes other than those that are compatible with the context in which you collected the personal data—unless you obtain the consumer’s consent.
Cassie has multiple tools to enable the collection of consent and is designed to integrate all of your digital properties. Not only does Cassie remove the hurdles from collecting consent and using information, but the management of the process is simple, and the ‘proof/context’ fulfils all global requirements. Offering complete flexibility and multi-tiered granulation, Cassie has been designed to be future-proof as communication methods change and is also multilingual, covering all languages (including non-Latin character languages).
Data Protection Assessments
Under the CDPA, controllers must conduct a data protection assessment to identify and weigh the benefits and risks of certain processing activities, including:
● Targeted advertising
● Selling personal data
● Profiling to advance decisions producing legal or similarly significant effects (such as credit applications)
The CDPA’s Privacy Policies
● The categories of personal data you process
● Your purposes for processing each category of personal data
● How consumers may exercise their rights
● Any categories of personal data you share with third parties
● Any categories of third parties with whom you share personal data.
Cassie can help you on your consent and preference journey to comply with CDPA.