Virginia recently adopted a GDPR-inspired comprehensive data protection law for Virginia residents.
What are the main points covered by Virginia’s Consumer Data Protection Act (“CDPA”)?
Like Europe’s GDPR and California’s CCPA, the CDPA expands consumer rights to access, correct, delete, and obtain a copy of personal data provided to or collected by a company, and to opt out of processing of the personal data for purposes of targeted advertising, sale, or profiling of the personal data.
The CDPA also expands Virginia’s definition of personal data, to include “sensitive data,” which includes, among other categories, race, religion, sexual orientation, mental or physical health diagnosis, biometric data, personal data collected from a known child, and precise geolocation.
Who does the CDPA apply to?
The CPDA applies to businesses that conduct business in Virginia, or produce products or services that target Virginia residents, and that (1) during a calendar year, control or process personal data of at least 100,000 “consumers” or (2) control or process personal data of at least 25,000 “consumers” and derive over 50% of gross revenue from the sale of personal data. “Consumer” is defined as a natural person who is a resident of Virginia, acting only in an individual or household context. It does not include an individual acting in a commercial or employment context.
As with CCPA, there are broad exemptions for financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”) and covered entities and business associates governed by HIPAA or HITECH. Other exemptions include non-profit organizations and higher education institutions.
What is the current status of CDPA and when will it take effect?
The CDPA was passed in March 2021. The CDPA will take effect in January 2023, at the same time as California’s new California Privacy Rights Act (CPRA).
What happens if companies don’t comply with the CDPA?
Unlike the CPRA, there is no private right of action for consumers. Instead, the Virginia Attorney General will have exclusive authority to enforce violations. Violators will have a 30-day period to cure infractions, after which the Attorney General can seek damages of up to $7,500 per violation.