Virginia Leads U.S. Closer to National Consumer Data Laws

Privacy

Last month Virginia joined California as the second U.S. state to enact comprehensive data privacy legislation—the Virginia Consumer Data Protection Act (CDPA). States are moving towards uniformity around privacy laws beyond HIPAA—mimicking Europe’s General Data Protection Regulation (GDPR). U.S.-based health tech companies should be preparing for the likelihood that we will see a similar national consumer data privacy law.  It’s not a question of “if” but rather “when.” Federal data privacy bills introduced in Congress this year and are gaining more momentum than ever before. 

“Privacy by design” approaches—where Health Tech companies anticipate early and incorporate thorough consumer rights and business obligations into their product and business model—will be key in becoming a market leader. Proactive efforts to align with these emerging privacy landscapes will save your company money and resources down the road, and help you avoid the onerous and expensive task of retrofitting later on.  These laws are complex, so work with experts at Elevation if you do not have a regulatory team in house or if your in-house team is spread thin.  To understand the direction of U.S. privacy laws, which are being lead currently through state-based efforts, start with state regulations in California and Virginia.  Below is an overview of the rights and obligations seen in both the California and Virginia privacy laws.

California Virginia
Consumer Rights
Access personal information
Correct personal information
Delete personal information
Data portability
Opt-out of the sale of personal information
Right against solely automated decision-making
Opt-in to processing of “sensitive data”
Prohibition on discrimination against a consumer for exercising a right
Private right of action
-
Appeals process
-
Business Obligations
Strict opt-ins for sale of personal information for consumers under a certain age
16 Years Old
13 Years old
Notice/transparency requirements
Mandated risk assessment
Data minimization
Purpose limitation
Processing limitation
Third party sale notification
Security requirements
Fiduciary Duty
-
-

Get our latest insights on healthcare regulatory compliance delivered directly to your inbox.

Health Consulting

Regulatory alignment for the next generation of health tech companies

© 2020 Elevation Health Consulting. All Rights Reserved. Privacy Notice