Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Virginia: Governor signs CDPA into law

Virginia Governor, Ralph Northam, signed House Bill 2307 relating to the Consumer Data Protection Act ('CDPA') into law. The CDPA will enter into force on 1 January 2023.

Virginia Consumer Data Protection Act Portal

Virginia CDPA Lands: What You Need To Know Webinar

Join OneTrust DataGuidance and an expert panel from Woods Rogers for a reactionary webinar looking at the newly introduced CDPA. We will discuss first impressions of the CDPA and the benefits and challenges it may present for organisations.

Key takeaways include:

  • Initial reaction to the CDPA
  • Key obligations for organizations and comparison to CCPA / CPRA programs
  • Future predictions for the Act and its current status in the legislative cycle


The CDPA includes in its scope persons that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth and that meet one or more of the following requirements:

  • during a calendar year, control or process personal data of at least 100,000 consumers; or
  • control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. 

Consumer rights

The CDPA provides consumers with several rights, including: 

  • the right to opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling;
  • the right to confirm if their data is being processed;
  • the right to amend inaccuracies;
  • the right to data deletion; and
  • the right to data portability.

Data controller obligations

The CDPA mandates several obligations for data controllers, including:

  • providing consumers with a privacy notice;
  • establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
  • conducting and documenting data protection assessments; and
  • contractual requirements in engaging data processors.

Additional resources

You can read more about the CDPA, its impact and how it compares to other legislation including the California Consumer Privacy Act of 2018 ('CCPA'), the California Privacy Rights Act of 2020 ('CPRA') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') through OneTrust DataGuidance's CDPA Portal.

You can read the CDPA here.