News

Virginia Passes New Consumer Data Protection Act (CDPA)

The Virginia Consumer Data Protection Act (CDPA) was recently passed, becoming the second U.S. state to enforce state data protection laws. Learn when it's effective and who will it apply to, the specifics of the consumer rights, and how it differs from the California Consumer Privacy Act (CCPA).

Virginia Passes New Consumer Data Protection Act (CDPA)

The Virginia Consumer Data Protection Act (CDPA) was recently passed, becoming the second U.S. state to enforce state data protection laws. While some of the provisions mirror the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the below highlights the new requirements set forth in Virginia.

When is it effective and who does it apply to?

  • Effective January 1, 2023
  • The law applies to businesses that control or process data for:
  1. minimum of 100,000 Virginians OR 
  2. that manage personal data for at least 25,000 residents AND make 50% of their gross revenue from the sale of that information.
  • Businesses found to have violated the CDPA will be given thirty (30) days to correct accusations before they are fined up to $7,500 per violation.

What are the Consumer Rights?

  • Residents have the right to access, correct, and delete personal data that businesses collect.
  • Businesses will only be able to collect sensitive data with individual consent or consent from a child's parent.
  • This law defines sensitive data as:
  1. information about race
  2. religion
  3. sexual orientation 
  4. information collected from children
  5. biometric and geolocation data.
  • Residents have the right to opt out of having their data used for targeted advertising and to appeal the denial of a business to act on a request within a time frame of forty-five (45) days.

How is this different from the CCPA?

  • The Virginia law is less expansive than the California law in that the ability to sue lies with the state attorney general, not consumers.
  • Virginia also limits the definition of a consumer to residents acting as an individual or household, while the California law does not include that limitation.
  • The California law also covers all businesses with annual gross revenue over $25 million, while the Virginia law does not cover those businesses unless they otherwise meet one of the thresholds for data processing.

References: 

  1. 2020 Virginia Senate Bill No. 1392, Virginia 2021 First Special Session, 2020 Virginia Senate Bill No. 1392, Virginia 2021 First Special Session
  2. Id.
  3. John Fitzgerald. Virginia becomes 2nd state with comprehensive consumer data privacy law , 2021 WL 799176 (Mar. 3, 2021).
  4. Id.
  5. Id.
  6. Id.