Can I skip monitoring and auditing compliance with CCPA in Virginia? What are the requirements?

Requirements for Monitoring and Auditing Compliance with CCPA in Virginia

The California Consumer Privacy Act (CCPA) applies to businesses, service providers, contractors, and third parties as those terms are defined in Civil Code § 1798.140. If you are a controller that possesses “de-identified data,” you shall comply with the requirements of subsection A of § 59.1-581 ^[3].

The Consumer Compliance Examination Manual by FDIC states that financial institutions must comply with the requirements and proscriptions of federal consumer protection laws and regulations, including monitoring and/or audit, and complaint response ^[4].

However, it is important to note that Virginia has its own privacy law, the Consumer Data Protection Act (CDPA), which applies to controllers that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that meet certain revenue or data processing thresholds. The CDPA requires controllers to implement and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, and to conduct periodic data protection assessments ^[3].

Therefore, if you are a controller subject to the CCPA and the CDPA, you must comply with both laws and their respective requirements for monitoring and auditing compliance.

In summary, you cannot skip monitoring and auditing compliance with CCPA in Virginia if you are subject to both laws. The requirements for monitoring and auditing compliance with CCPA and CDPA are to comply with the requirements of the respective laws and regulations.

^[3]: Chapter 53. Consumer Data Protection Act ^[4]: Consumer Compliance Examination Manual | FDIC

Source(s):

• [3] Code of Virginia Code - Chapter 53. Consumer Data Protection Act
• [4] Consumer Compliance Examination Manual | FDIC

Jurisdiction

Virginia

• Privacy