Sample Virginia CDPA Privacy Policy Template
If you're a commercial business selling goods or services to the residents of Virginia, then you need to understand how Virginia's Consumer Data Protection Act (CDPA) affects you.
Essentially, if you fall under the Act's jurisdiction, you must take steps to inform Virginia residents of their data protection rights and help them exercise these rights if they choose to do so.
One of your main responsibilities under the CDPA is drafting a Privacy Notice, or Privacy Policy, setting out these rights in more detail.
Let's break down how the Act works and what a CDPA-compliant Privacy Policy looks like.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. What is the CDPA?
- 2. Who Must Comply With the CDPA?
- 3. How to Write a CDPA-Compliant Privacy Policy
- 3.1. Introduction
- 3.2. Jurisdiction
- 3.3. Contact Details
- 3.4. The Rights of the Individual
- 3.5. The Data You Collect
- 3.6. Purposes of Data Collection and How You Use the Data
- 3.7. Your Personal Data Sharing Policies
- 3.8. Selling Personal Information
- 4. Where to Display Your CDPA Privacy Policy
- 4.1. Website Footer
- 4.2. At the Point of Data Collection
- 4.3. Within Other Policies
- 5. What Happens if Your Privacy Policy Doesn't Comply With the CDPA?
- 6. Key Takeaways
What is the CDPA?
The Consumer Data Protection Act protects what's known as personal data, or personal information. Personal information is defined in Section 59.1-571 as, basically, any single piece of data you can use to identify an individual person:
So, examples of "personal data" can include information such as names, email addresses, IP addresses, and even employment data.
As a business, you have various obligations under the CDPA. You must:
- Draft and publish a Privacy Notice or Privacy Policy. This sets out what rights people have over their data and how you facilitate these rights.
- Take steps to reduce or minimize how much data you collect.
- Ensure you get consent before collecting "sensitive" personal data. This includes all data belonging to minors, and data you can use to identify sensitive characteristics like someone's mental health status.
- Provide sufficient cybersecurity to protect any personal data you handle.
Although we're focusing on Privacy Policies, just be aware it's not the only obligation you have under the Act.
Before we move on, here's something to bear in mind. The CDPA won't become law until January 1, 2023. However, the earlier you draft your Privacy Policy, the more prepared you'll be when the law comes into force.
Also, other laws require a Privacy Policy, so if you don't have one yet, you will need one anyway.
Who Must Comply With the CDPA?
To be clear, Virginia's CDPA only applies if you're a commercial, for-profit business selling goods or services to Virginia residents and you either:
- Derive more than 50% of your gross revenue from selling personal information and process personal data belonging to more than 25,000 residents, or
- Process data belonging to more than 100,000 Virginia consumers
So, most B2C companies selling in Virginia will need to comply, which of course means drafting a Privacy Policy. However, if you're a non-profit, the CDPA doesn't apply to you.
How to Write a CDPA-Compliant Privacy Policy
Think of a Privacy Policy as a written notice of what happens to someone's personal data from the moment they share it with you, until the moment it's permanently erased.
What a Privacy Policy must include varies slightly depending on which law applies, but basically, if you need to write a CDPA-compliant Privacy Policy, here's what it should include.
First, you need to introduce the Policy, explain which laws apply, and provide some contact details for people to reach you.
Next, you must include clauses explaining the following:
- Individual rights: This clause tells people what rights they have, and how to exercise them.
- Personal data collection: What information you collect from someone.
- Purpose of collection: The reason(s) why you process this data.
- Personal data usage: What you do with the data.
- Third party sharing: Who you share the data with, and why.
- Sale of data: The clause detailing whether you sell data, and who you sell it to.
Now, let's break down each of these clauses, one at a time.
Introduction
The introduction simply sets out what the document is, and what it covers.
- Include the effective date i.e. the date the Policy came into force.
- Explain that it's a Privacy Policy, which tells people what happens to the data they share with your business.
- Confirm that the person can't use your website unless they agree to your Privacy Policy.
Here's a good example from Papa Murphy's. In just a few lines, it sets out what they Policy is, what it covers, and where people can find out more:
You'll note they last updated the Policy on November 30, 2020. Make sure to always change the date to reflect when you last amended your Policy so people know how up to date (or not) that it is.
Jurisdiction
In this context, jurisdiction simply means which federal or state laws govern the agreement between you and the consumer. In other words, it's which laws apply if there's ever a court action or disagreement.
Wendy's, for example, relies on laws set by the State of Ohio:
As you'll see from this clause, you don't need much detail here. Just include enough so consumers know which state or federal laws apply.
Contact Details
You must ensure consumers know how to contact you with any questions about your Privacy Policy, or to exercise their rights. Ideally, this means providing at least two ways to contact you, but you can always include more.
For example, Papa Murphy's provides an email address, phone number, and mailing address. Including at least one free option like an email address is good practice:
The Rights of the Individual
As set out in Section 59.1-573, the CDPA gives consumers five specific rights over their personal data. Basically, people can ask to see what data you hold on them, and you must delete it upon request. You must also amend any errors they point out, and if they refuse to let you sell their data, you must comply with this:
Your Privacy Policy should explain these rights and how people can exercise them. Keep this clause simple and easy for the average reader to understand.
Here's an example from Macy's. Although it's for the California Consumer Privacy Act (CCPA) the principle is the same:
The Data You Collect
Tell customers what data you collect, and how you collect it. Give examples, but don't be so restrictive that you can't collect anything else.
- Use language like "such as" to show the examples you're giving aren't exhaustive.
- Be clear about the ways you collect data e.g. maybe someone voluntarily shares it with you, or you collect it through automated means.
Wendy's for example, collects data in three ways:
Notice how the phrasing says "such as" to illustrate how the list isn't exhaustive, but is rather giving some examples:
You should also set out how you actually collect this data e.g. if you use cookies or if you rely on customers sharing the information with you.
Here's an example from Macy's of how you might structure this section:
Purposes of Data Collection and How You Use the Data
Tell customers why you're collecting the data in the first place e.g. to complete an order or to personalized your marketing. Again, the clause should be clear, succinct, and easily understood.
Papa Murphy's has a good example of how to set out a clause like this in short, simple paragraphs:
Tell consumers how you plan on using their data. The golden rule is this: If you can't articulate why you need a piece of data e.g. someone's date of birth, then you shouldn't collect it.
To be sure you're not limiting yourself, you can use language like "for example" or "such as" to ensure people know you might use their data for other purposes.
Barnes & Noble, for example, uses the phrase "manage our business," which can be interpreted very widely:
You're trying to strike a balance between ensuring there's enough information available for people to give informed consent to your Privacy Policy, and ensuring you're free to run your business.
Your Personal Data Sharing Policies
If you share personal data with any source, whether it's for marketing or some other purpose, you must declare this in your Privacy Policy. Even if you're only sharing data internally between departments, consumers have the right to know this.
Macy's helpfully breaks this clause down into concise, clear paragraphs with bolded wording so consumers can easily the key information:
If you use cookies or another tracking technology, you would specify it here, like this example from Garden Season. You'll note how the company also explains how people can reject cookies, which is great practice because it's helping people to facilitate their privacy rights:
Selling Personal Information
By "selling" personal information, we're talking about selling personal data to third parties. If this is something you do, you must highlight this in your Privacy Policy. Moreover, you must tell customers how they can opt out of this.
Here's an example from Wendy's. Wendy's tells customers they have the right to opt out:
Wendy's also provides the means for users to do so:
Note that even though the CCPA is referenced in the clause, the same approach will go for the CDPA and other privacy laws. The concept remains the same even though the law may have a different name.
Where to Display Your CDPA Privacy Policy
It's not enough to just draft a Privacy Policy. You must also ensure consumers have the chance to read it before they hand over any personal data.
There are three places in particular you should link to your Privacy Policy.
Website Footer
Make it easy for people to find your Privacy Policy by placing a link in your footer. Ideally, you should place the link beside your other key documents so consumers can read them together.
Here's an example from Martha Stewart:
You'll notice the link is right beside the Terms of Service and other critical information. Users are familiar with this set-up of putting important links in the footer, so it's a common best practice.
At the Point of Data Collection
Under the CDPA, you don't always need someone's consent to collect their data. However, remember, if you're collecting sensitive data, you will need consent.
What constitutes consent? Well, under the CDPA, it must be clear, freely offered, and affirmative. In other words, a consumer must do something to clearly indicate they're consenting to personal data processing.
The best way to get express consent? Use a checkbox to indicate the consumer consents to your Privacy Policy.
Here's an example from Little Caesars Pizza. Before the customer opens an account by submitting their personal information, they must clearly indicate they've read and agree to the Privacy Policy:
Within Other Policies
Give consumers easy access to your Privacy Policy by linking to it within other documents, like your Terms of Use or Cookies Policy.
Here's a great example from Wendy's. There's a link to the Privacy Policy near the start of the Terms and Conditions, so consumers can quickly flip between both documents:
Wendy's places the key information consumers need at their fingertips in this useful summary of contents.
What Happens if Your Privacy Policy Doesn't Comply With the CDPA?
If your Privacy Policy doesn't meet the standards set out in the Consumer Data Protection Act, you could be fined up to $7,500 for the violation.
Essentially, if a customer complains about your Privacy Policy, the Attorney General will give you 30 days to correct whatever's gone wrong with your data collection practices. If you don't comply with the Attorney General's request, you'll likely face a financial penalty. The rules are set out in Section 59.1-579 of the Act:
To be clear, the consumer can't "sue" you directly if there's anything wrong with your Privacy Policy. They must go through the Attorney General.
Key Takeaways
If you're a business selling goods or services to Virginia residents, you need to comply with Virginia's CDPA. This Act gives people new rights over their personal data, and it restricts what businesses can do with the personal information they collect.
In particular, if you fall under the CDPA's jurisdiction, you must draft a Privacy Notice, or Privacy Policy, explaining at minimum the following seven things:
- Whether you collect personal data from consumers
- Which laws apply, should anything go wrong with the agreement
- Why you need a consumer's personal information
- Who you share the personal data with
- Whether you sell personal information to third parties
- What rights a consumer has over their personal data
- How they can contact you to exercise these rights
You should display your Privacy Policy somewhere obvious on your website to ensure consumers have the chance to read it before they provide any personal data. This includes placing a link to your Policy in the website footer and within your other key documents. You should also link to it at the point of data collection e.g. when someone opens an account or signs up for an email marketing list.
If you fail to comply with your responsibilities under the CDPA, you could be fined up to $7,500 per violation.
