Scope, applicability, and key definitions

Who does the CDPA apply to?

The CDPA applies to persons that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth and that:

• during a calendar year, control or process personal data of at least 100,000 consumers; or
• control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Are certain subjects exempted from the application of the CDPA?

The CDPA does not apply to any body, authority, board, bureau, commission, district, or agency of the Commonwealth or of any political subdivision of the Commonwealth. Moreover, the CDPA does not apply to non-profit organisations or institution of higher education.

The CDPA also does not apply to:

• financial institutions or data subjects subject to Title V of the Gramm-Leach-Bliley Act of 1999; and
• covered entities or business associates governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act.

Are certain data exempted from the application of the CDPA?

The CDPA excludes certain data from its application, such as protected health information under the Health Insurance Portability and Accountability Act of 1996, certain health records, certain patient identifying information, as well as certain other data pertaining to a health context, financial context, or federal regulation, among others.

How does the CDPA define 'consumers'?

The CDPA defines a 'consumer' as a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.

How does the CDPA define 'consent'?

The CDPA defines 'consent' as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, which may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

How does the CDPA define the 'sale of personal data'?

Sale of personal data is defined by the CDPA as 'the exchange of personal data for monetary consideration by the controller to a third party.' However, the concept of 'sale of personal data' does not include the following:

• Disclosure of personal data to a processor that processes personal data on behalf of the controller;
• Disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• Disclosure or transfer of personal data to an affiliate of the controller;
• Disclosure of information that the consumer:
  • intentionally made available to the general public via a channel of mass media; and
  • did not restrict to a specific audience; or
• Disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

How does the CDPA define the 'sensitive data'?

Sensitive data are defined in the CDPA as a category of personal data that includes:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• Genetic or biometric data processed for the purpose of uniquely identifying a natural person;
• The personal data collected from a known child; or
• Precise geolocation data.

Key provisions and requirements

Does the CDPA provide for consumer rights?

Consumers, and a known child's parent or legal guardian, may invoke consumer rights which include:

• to confirm whether or not a controller is processing the consumer's personal data and to access such personal data;
• to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;
• to delete personal data provided by or obtained about the consumer;
• to obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
• to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

What are the transparency responsibilities of data controllers?

Data controllers must comply with, among other things, requirements of proportionality, necessity, and establishing security safeguards and practices.

Notably, the CDPA requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice, and where personal data is sold to third parties or processing for targeted advertising, to clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

What are the data security responsibilities of data controllers?

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. In addition, the established data seurity practices must be appropriate to the volume and nature of the personal data at issue.

Are there obligations in relation to sensitive data?

Controllers must not process sensitive data without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the Children's Online Privacy Protection Act of 1998 ('COPPA').

In addition, data controllers must, when processing sensitive data, conduct and document a data protection assessment in accordance with § 59.1-576. Of the CDPA.

What are the main obligations for data processors?

Data processor must follow the instructions of the controller, as well as assist the controller in meeting its obligations under the CDPA.

In particular, the processor, in order to assist the controller, will:

• fulfil the controller's obligation to respond to consumer rights requests, taking into account the nature of the processing and the information available to the processor, by appropriate technical and organisational measures, insofar as this is reasonably practicable;
• assist the controller in meeting his obligations in relation to the security of the processing of personal data and to the notification of a breach of security of the system of the processor, taking into account the nature of processing and the information available to the processor; and
• providing the controller with the necessary information to conduct and document data protection assessments.

Are vendor privacy relationship regulated under the CDPA?

The CDPA provides that a contract between the controller and a processor must govern the processor's data processing procedures in relation to the processing carried out on behalf of the controller. The contract must be binding and clearly establish:

• instructions for processing data;
• the nature and purpose of the processing;
• the type of data subject to processing;
• the duration of processing; and
• the rights and obligations of both parties.

The contract must also prescribe that the processor will have to:

• ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
• upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations under the CDPA;
• allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; and
• engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

Are Data Protection Impact Assessments regulated?

The CDPA provides that a controller must conduct a data protection assessment for each of the following processing activities involving personal data:

• the processing of personal data for purposes of targeted advertising; 
• the sale of personal data; 
• the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers; 
  • financial, physical, or reputational injury to consumers; 
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or 
  • other substantial injury to consumers; 
• the processing of sensitive data; and 
• any processing activities involving personal data that present a heightened risk of harm to consumers.

In relation to the content of a data protection assessment, the CDPA states that data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. 

Who is empowered to enforce violations of the CDPA?

The Virginia State Attorney General has exclusive authority to enforce the provisions of the CDPA, and prior to initiating any action must provide a controller or processor 30 days' written notice identifying the specific provisions alleged have been or are being violated.

What penalties are controllers and processors facing under the CDPA?

If a data controller or processor continues to violate the CDPA following the prescribed 30-day cure period, or breaches an express written statement provided to the Attorney General, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation.

Next stages

What is the legislative status of the CDPA?

Both the Senate version and the House of Delegates version of the CDPA have been signed, on 2 March 2021, by the Virginia State Governor. The text of the CDPA will now be incorporated into the Code of Virginia.

When will the CDPA come into force?

The CDPA will enter into effect on 1 January 2023.

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.