Virginia’s New Consumer Data Protection Act

Virginia recently adopted a GDPR-inspired comprehensive data protection law for Virginia residents.

What are the main points covered by Virginia’s Consumer Data Protection Act (“CDPA”)?

Like Europe’s GDPR and California’s CCPA, the CDPA expands consumer rights to access, correct, delete, and obtain a copy of personal data provided to or collected by a company, and to opt out of processing of the personal data for purposes of targeted advertising, sale, or profiling of the personal data.

The CDPA also expands Virginia’s definition of personal data, to include “sensitive data,” which includes, among other categories, race, religion, sexual orientation, mental or physical health diagnosis, biometric data, personal data collected from a known child, and precise geolocation.

The CDPA also defines expectations and requirements for controllers, to limit the use of the personal data to the purpose for which it was collected, implement reasonable data protection safeguards, process data only with consent of the consumer, establish a clear privacy policy, disclose sale of personal data for advertising purposes to consumers and provide a simple mechanism to opt out of the sale, and provide a secure and reliable way for consumers to exercise these rights.  As with GDPR, controllers will also be required to conduct and document data protection assessments of processing activities created or generated after the CDPA goes into effect, and the documentation could be requested by the Virginia Attorney General. Further, the CDPA defines requirements that govern the controller-processor relationship, including, that the processor must adhere to instructions of the controller, and controllers and processors must have a data processing agreement in place.

Who does the CDPA apply to?

The CPDA applies to businesses that conduct business in Virginia, or produce products or services that target Virginia residents, and that (1) during a calendar year, control or process personal data of at least 100,000 “consumers” or (2) control or process personal data of at least 25,000 “consumers” and derive over 50% of gross revenue from the sale of personal data. “Consumer” is defined as a natural person who is a resident of Virginia, acting only in an individual or household context. It does not include an individual acting in a commercial or employment context.

As with CCPA, there are broad exemptions for financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”) and covered entities and business associates governed by HIPAA or HITECH. Other exemptions include non-profit organizations and higher education institutions.

What is the current status of CDPA and when will it take effect?

The CDPA was passed in March 2021. The CDPA will take effect in January 2023, at the same time as California’s new California Privacy Rights Act (CPRA).

What happens if companies don’t comply with the CDPA?

Unlike the CPRA, there is no private right of action for consumers. Instead, the Virginia Attorney General will have exclusive authority to enforce violations. Violators will have a 30-day period to cure infractions, after which the Attorney General can seek damages of up to $7,500 per violation.

© Polsinelli PC, Polsinelli LLP in California
National Law Review, Volumess XI, Number 222