In what might prove to be a growing trend, on March 2, 2021, the Governor of Virginia signed into law the comprehensive Consumer Data Protection Act (CDPA), making Virginia the most recent state to enact such a law after California and the more limited Maine Act to Protect the Privacy of Online Customer Information and Nevada Senate Bill 220. The CDPA will become fully effective on January 1, 2023.

The CDPA adopts aspects of the European Union’s General Data Protection Regulation (GDPR), and California’s Consumer Privacy Act (CCPA) and Consumer Privacy Rights Act (CPRA). The CDPA applies to businesses that collect or process large amounts of consumer data and either do business in Virginia or target Virginia residents, but excludes coverage of financial institutions subject to the Gramm-Leach-Bliley Act and entities subject to the Health Insurance Portability and Accountability Act. Unlike the CCPA, the CDPA does not apply to employee data or business-to-business data collections.

Under the new law, Virginia consumers will have new rights to access, correct, delete, and obtain copies of their personal data from covered businesses and, significantly, to opt out of having their personal data used for targeted advertising. The new law also creates various responsibilities for companies that collect (controllers) and process (processors) consumers’ personal data to ensure security and privacy. Controllers have additional duties to:

• Provide reasonable security to protect personal data;
• Obtain consent to process sensitive data;
• Enter into data processing agreements (DPAs) with their data processors containing specifically prescribed terms to protect consumers;
• Provide detailed privacy notices;
• Notify consumers if they sell personal data;
• Establish a means for consumers to request to exercise their rights under the CDPA; and
• Conduct and document a data protection assessment for certain processing activities, including the sale and use of personal data.

Processors’ duties are generally set out in their DPAs with controllers.

While the CDPA does not provide a private right of action for consumers, the Virginia Attorney General is expected to vigorously investigate and enforce violations of the new law, and, where appropriate, seek penalties against violators of up to $7,500 per violation for failure to cure within 30 days of notice.

There is still time for businesses to assess whether they may be subject to the CDPA as well as prior states’ comprehensive privacy laws. Virginia’s new law may be the catalyst that pushes Congress to enact a preemptive federal consumer data privacy law, but in the meantime it is clear that other states are in the process of enacting their own data privacy laws.  While it is challenging for businesses to comply with the patchwork of states’ data privacy laws, it is critical to do so to minimize or avoid costly investigations and penalties.