DMD’s Lab Report: The Art & Science of Healthcare Email explores insights, trends, and obstacles affecting healthcare email. From strategy to creative, deployment to reporting, we aim to address the most pressing issues healthcare marketers face.
In the Lab Report, we aim to keep healthcare marketers apprised of significant changes surrounding email marketing. As Virginia becomes the third state to enact state-level data privacy legislation, this news is worthy of “front page” status for April’s edition.
On March 2, 2021, Virginia governor Ralph Northam signed into law the “Virginia Consumer Data Protection Act” (CDPA). It follows in the footsteps of California's Consumer Privacy Act (CCPA), a second California law—the California Privacy Rights Act (CPRA)—and Nevada’s SB220.
Virginia’s law introduces new wrinkles into the current U.S. data privacy landscape. Here are some key points for healthcare marketers to consider.
Exclusions, Definitions, and Provisions
1) The Virginia CDPA excludes business-to-business (B2B) communications. So, pharma-to-physician and hospital-to-physician communications will not be governed by the new law.
2) Another exclusion: The law only applies if an entity retains personal information on more than 100,000 Virginia residents. With only 27,953 physicians and 12,825 NP/PAs currently in the state, this will not bring about compliance concerns—at least as the law stands now. One might say this is a “pro-business” concession.
3) CDPA does not take effect until January 1, 2023—allowing plenty of time for the state to collect feedback and make any adjustments to the legislation’s language and parameters. However, it should be noted that it only took 58 days for CDPA to become law; an incredibly short timeline.
4) The core of the law, “consent management,” is consistent with California and Nevada statutes. CDPA gives residents the right to access, correct, obtain a copy of, block sales of, and request the deletion of personal data.
**Are you currently in compliance with the California and Nevada laws? We can help.**
5) Virginia’s law is the first U.S. law to touch on the active opt-in provision—first presented by the European Union’s GDPR. CDPA requires an opt-in for their definition of “sensitive data,” which the law constitutes as “racial, religious, mental and physical health, sexual orientation, citizenship status, genetic, biometric, precise geolocation, and any data about a child.”
At DMD we believe that every piece of personal information should only be collected with a ‘GDPR-style’ opt-in.
This last point is interesting from our point of view, because at DMD we believe that every piece of personal information should only be collected with a “GDPR-style” opt-in—not just the data points outlined by CDPA. As more state- and federal-level legislation takes form, the definition of “sensitive data” will likely be up for debate.
Our Advice? Hang Tight for Now
While CDPA does put additional pressure on Congress to pass something at the federal level, its immediate impact on healthcare marketing is null. With the lack of B2B regulation, a 2023 “start date,” and the prediction that the law will be modified prior to becoming effective, we don’t see any reason for healthcare marketers to take action at this time.
Of course, we’ll continue to provide updates on this law and any other data privacy initiative that takes shape over the next few months. To learn more about Virginia’s law and its criteria, access the full Lab Report HERE.