Virginia Passes New Consumer Data Protection Act (CDPA)

Virginia Passes New Consumer Data Protection Act (CDPA)

The Virginia Consumer Data Protection Act (CDPA) was recently passed, becoming the second U.S. state to enforce state data protection laws. While some of the provisions mirror the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the below highlights the new requirements set forth in Virginia.

When is it effective and who does it apply to?

Effective January 1, 2023
The law applies to businesses that control or process data for:

minimum of 100,000 Virginians OR
that manage personal data for at least 25,000 residents AND make 50% of their gross revenue from the sale of that information.

Businesses found to have violated the CDPA will be given thirty (30) days to correct accusations before they are fined up to $7,500 per violation.

What are the Consumer Rights?

Residents have the right to access, correct, and delete personal data that businesses collect.
Businesses will only be able to collect sensitive data with individual consent or consent from a child's parent.
This law defines sensitive data as:

information about race
religion
sexual orientation
information collected from children
biometric and geolocation data.

Residents have the right to opt out of having their data used for targeted advertising and to appeal the denial of a business to act on a request within a time frame of forty-five (45) days.

How is this different from the CCPA?

The Virginia law is less expansive than the California law in that the ability to sue lies with the state attorney general, not consumers.
Virginia also limits the definition of a consumer to residents acting as an individual or household, while the California law does not include that limitation.
The California law also covers all businesses with annual gross revenue over $25 million, while the Virginia law does not cover those businesses unless they otherwise meet one of the thresholds for data processing.

‍

References:

2020 Virginia Senate Bill No. 1392, Virginia 2021 First Special Session, 2020 Virginia Senate Bill No. 1392, Virginia 2021 First Special Session
Id.
John Fitzgerald. Virginia becomes 2nd state with comprehensive consumer data privacy law , 2021 WL 799176 (Mar. 3, 2021).
Id.
Id.
Id.

Other blog posts

Legislation Tracker

New York's NY SHIELD Act & What it Means for Your Business

The SHIELD Act requires any person or business owning or licensing computerized data that include the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. The SHIELD Act will have far-reaching effects, as any business that holds private information of a New York resident—regardless of whether the organization does business in New York—must comply with the new law.

Product Updates

Elroi Founder & CEO at Tech Talk 2020 - Control Your Data, Control Your World

Elroi's Founder & CEO, Rachel Cash, Esq. at Tech Talk 2020 covers why you must control your data to control your world.

Legislation Tracker

California’s Consumer Privacy Act and What It Means for Your Business

The political world can be vast and confusing, especially when it comes to laws that can affect your business. Luckily, Elroi is here to help and keep you both up to date and compliant! While we do not yet have a national data privacy law in the United States, state policies, such as the California Consumer Privacy Act, can still have major impacts on how you conduct business.