Virginia’s Consumer Data Protection Act (CDPA) was signed into law by Gov. Ralph Northam on March 2, 2021. While the CDPA will not take effect until January 1, 2023, businesses should start integrating their distinct obligations into their privacy compliance frameworks while recognizing the differences between the CDPA and existing regulations, such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the European Union’s General Data Protection Regulation (GDPR), and Brazil’s General Data Protection Law (LGPD).

The following highlights some key questions and considerations for businesses collecting, maintaining, and storing the personal information of Virginia individuals and households. 
 

What businesses does the CDPA apply to?

The CDPA applies to entities that conduct business in the commonwealth and either:

1. Control or process personal data of at least 100,000 consumers; or
2. Derive more than 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

Notably, the general revenue trigger present in the CCPA is not present in the CDPA.

What rights are given to consumers?

Like the CCPA, the GDPR, and the LGPD, consumers are given a distinct set of rights. The CDPA gives consumers the following rights:

1. Right to Be Informed/Right to Access: Consumers have the right to know what data is being collected and processed by a business.
2. Right to Correct: Consumers have the right to correct information that may be inaccurate.
3. Right to Data Deletion: Consumers have the right to request that the personal information a business collects and processes be deleted.
4. Right to Data Portability: Consumers have the right to request a copy of their data in a readily accessible format, such as a .csv or PDF file.
5. Right to Opt Out of Processing: Consumers have the right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, and profiling activities with personal data that may affect the consumer.

What is the timeline for responding to consumer requests?

Businesses must respond to consumer requests within 45 days, and a business can extend this initial 45-day period if it notifies the consumer that his or her request may take additional time to address.

Clear consumer notice

One of the benchmarks of the various domestic and global privacy regulations is meaningful consumer notice. The CDPA mirrors these requirements and makes it clear that businesses that do business in Virginia must provide consumers with notice that includes the categories of personal data collected, the purpose of the data collection, the categories of personal information that may be shared with third parties (service providers and vendors), and provisions concerning how consumers can exercise their consumer rights under the CDPA.

Data privacy impact assessments are required

Businesses must undertake data privacy impact assessments (described as “data protection assessments” in the CDPA) in regard to data processing activities. The attorney general can request copies of these assessments.

These assessments are required by the GDPR but not for the CCPA.

Data collection should be minimized

The principle of data minimization appears in several data privacy regulations, which calls for businesses to limit the personal data that they are collecting. This principle essentially endorses a “use it or lose it” approach to data to reduce liabilities attached to this data. The CDPA is no different and places this requirement on businesses.

Consumer consent required for certain processing activities and sensitive data

The CDPA requires consumer consent if a business processes data in a manner that was not previously disclosed to the consumer. Consent must be affirmatively obtained if the business is collecting and processing sensitive personal data. This is distinct from the CPRA since there is no consent requirement. The CPRA has the same January 1, 2023, effective date as the CDPA, so it is important to note this distinction.

“Reasonable security” standard appears in CDPA

The “reasonable security” standard is becoming a prominent feature of consumer data privacy regulation. This requires businesses to put into place and maintain reasonable administrative, physical, and technical controls to protect consumers’ personal information.

The CDPA does not provide for a private right of action like the CCPA (and the CPRA, which also goes into effect on January 1, 2023).

Vendor obligations

Businesses must have agreements, data privacy addendums, and other agreements in place as it relates to the responsibilities in processing personal data. It is advised that businesses adopt vendor procurement policies and have a framework in place to assess vendors’ data privacy practices.

Who will enforce the CDPA?

The Virginia Office of the Attorney General is tasked with enforcing the CDPA.

What are the consequences of noncompliance?

The Virginia Office of the Attorney General can seek:

1. Injunctive relief
2. Civil penalties of $7,500 per violation

Businesses out of compliance (unlike the CPRA) have a 30-day cure period to rectify violations of the CDPA.

Now is the time to comply

Like the CCPA, which will be replaced by the CPRA in January 2023, the CDPA will now need to go through administrative and implementation processes before the January 1, 2023, effective date. Legislatures in states such as Florida and Washington are also considering privacy bills that closely resemble the requirements of the CDPA.

Consumer-focused privacy legislation is becoming a national trend, with several other states expected to pass bills to protect personal data over the next two years. Accordingly, businesses would be wise to update their privacy compliance programs to account for this changing landscape.