February 6, 2023

Volume XIII, Number 37

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

Virginia’s New Consumer Data Protection Act

Virginia recently adopted a GDPR-inspired comprehensive data protection law for Virginia residents.

What are the main points covered by Virginia’s Consumer Data Protection Act (“CDPA”)?

Like Europe’s GDPR and California’s CCPA, the CDPA expands consumer rights to access, correct, delete, and obtain a copy of personal data provided to or collected by a company, and to opt out of processing of the personal data for purposes of targeted advertising, sale, or profiling of the personal data.

The CDPA also expands Virginia’s definition of personal data, to include “sensitive data,” which includes, among other categories, race, religion, sexual orientation, mental or physical health diagnosis, biometric data, personal data collected from a known child, and precise geolocation.

The CDPA also defines expectations and requirements for controllers, to limit the use of the personal data to the purpose for which it was collected, implement reasonable data protection safeguards, process data only with consent of the consumer, establish a clear privacy policy, disclose sale of personal data for advertising purposes to consumers and provide a simple mechanism to opt out of the sale, and provide a secure and reliable way for consumers to exercise these rights.  As with GDPR, controllers will also be required to conduct and document data protection assessments of processing activities created or generated after the CDPA goes into effect, and the documentation could be requested by the Virginia Attorney General. Further, the CDPA defines requirements that govern the controller-processor relationship, including, that the processor must adhere to instructions of the controller, and controllers and processors must have a data processing agreement in place.

Who does the CDPA apply to?

The CPDA applies to businesses that conduct business in Virginia, or produce products or services that target Virginia residents, and that (1) during a calendar year, control or process personal data of at least 100,000 “consumers” or (2) control or process personal data of at least 25,000 “consumers” and derive over 50% of gross revenue from the sale of personal data. “Consumer” is defined as a natural person who is a resident of Virginia, acting only in an individual or household context. It does not include an individual acting in a commercial or employment context.

As with CCPA, there are broad exemptions for financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”) and covered entities and business associates governed by HIPAA or HITECH. Other exemptions include non-profit organizations and higher education institutions.

What is the current status of CDPA and when will it take effect?

The CDPA was passed in March 2021. The CDPA will take effect in January 2023, at the same time as California’s new California Privacy Rights Act (CPRA).

What happens if companies don’t comply with the CDPA?

Unlike the CPRA, there is no private right of action for consumers. Instead, the Virginia Attorney General will have exclusive authority to enforce violations. Violators will have a 30-day period to cure infractions, after which the Attorney General can seek damages of up to $7,500 per violation.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 222

About this Author


Liz is a dual-qualified attorney in Colorado and the United Kingdom who counsels clients on data privacy, advertising and technology licensing matters.  Prior to practicing in the U.S., she practiced law in the U.K. for over 10 years counseling clients on EU privacy and technology matters.

Liz’s practice involves three key areas: privacy, advertising, and technology licensing.  She has significant experience counseling clients on how to comply with their EU privacy obligations, with a particular focus on how to prepare for, respond to, and implement...

Caitlin A. Smith Technology Transactions Attorney Polsinelli Washington, D.C.

Caitlin A. Smith is an associate in the Technology Transactions and Data Privacy practice. Caitlin regularly advises clients of all sizes and industries through privacy and data security matters, including counseling on compliance with domestic and international privacy and data security laws and regulations. Further, Caitlin advises clients on best practices to prepare for and prevent cybersecurity incidents through risk management counseling, review of policies and procedures, and facilitation of tabletop exercises. Caitlin is committed to understanding each client’s business practices...