Any day now, Virginia will likely become the second state, behind California, to adopt a GDPR-inspired comprehensive data protection law for Virginia residents.

What are the main points covered by Virginia’s Consumer Data Protection Act (“CDPA”)?

Like Europe’s GDPR and California’s CCPA, the CDPA expands consumer rights to access, correct, delete, and obtain a copy of personal data provided to or collected by a company, and to opt out of processing of the personal data for purposes of targeted advertising, sale, or profiling of the personal data.

The CDPA also expands Virginia’s definition of personal data, to include “sensitive data,” which includes, among other categories, race, religion, sexual orientation, mental or physical health diagnosis, biometric data, personal data collected from a known child, and precise geolocation.

The CDPA also defines expectations and requirements for controllers, to limit the use of the personal data to the purpose for which it was collected, implement reasonable data protection safeguards, process data only with consent of the consumer, establish a clear privacy policy, disclose sale of personal data for advertising purposes to consumers and provide a simple mechanism to opt out of the sale, and provide a secure and reliable way for consumers to exercise these rights.  As with GDPR, controllers will also be required to conduct and document data protection assessments of processing activities created or generated after the CDPA goes into effect, and the documentation could be requested by the Virginia Attorney General. Further, the CDPA defines requirements that govern the controller-processor relationship, including, that the processor must adhere to instructions of the controller, and controllers and processors must have a data processing agreement in place.

Who does the CPDA apply to?

The CPDA will apply to businesses that conduct business in Virginia, or produce products or services that target Virginia residents, and that (1) during a calendar year, control or process personal data of at least 100,000 “consumers” or (2) control or process personal data of at least 25,000 “consumers” and derive over 50% of gross revenue from the sale of personal data. “Consumer” is defined as a natural person who is a resident of Virginia, acting only in an individual or household context. It does not include an individual acting in a commercial or employment context.

As with CCPA, there are broad exemptions for financial institutions subject to the GLBA, covered entities and business associates governed by HIPAA or HITECH, non-profit organizations and higher education institutions subject to FERPA.

What is the current status of the proposed bill and when is it likely to come into force?

The CDPA was already passed by Virginia’s House of Delegates and Senate earlier this year and is expected to be sent to the Governor later this month. If passed, the CDPA would take effect in January 2023, at the same time as California’s new California Privacy Rights Act (CPRA).

What happens if companies don’t comply with the CDPA?

Unlike the CCPA / CPRA, there is no private right of action for consumers. Instead, the Virginia Attorney General will have exclusive authority to enforce violations. Violators will have a 30-day period to cure infractions, after which the Attorney General can seek damages of up to $7,500 per violation.