Law: Consumer Data Protection Act ('CDPA')
Regulator: The Virginia Attorney General ('AG')
Summary: Each chamber of the Virginia General Assembly passed companion bills for the Consumer Data Protection Act ('CDPA'), each of which has been signed by the State Governor and incorporated into the Code of Virginia. The CPDA regulates privacy and data protection matters in Virginia by establishing new definitions, and conferring several rights on consumers including access, correction, deletion, portability, and opt-out rights. Furthermore, the CDPA establishes obligations on controllers and processors including rules regarding Data Protection Impact Assessments and the processing of de-identified data. The CDPA will enter into effect on 1 January 2023.
In addition to the CDPA, the Personal Information Privacy Act restricts the sale of personal information of customers by merchants as well as the use of social security numbers. Moreover, under Virginia's personal information breach notification law (§18.2-186.6 of the Code of Virginia), a personal data breach must be notified to affected consumers and to the AG and nationwide consumer reporting agencies, when the notification is provided to more than 1,000 persons. Specific protections are applicable in relation to health, employment, and financial information. Additionally, the Virginia Telephone Privacy Protection Act outlines prohibitions for solicitation calls when a person has previously stated that they do not wish to receive the call.