Virginia Consumer Data Protection Act (CDPA): What You Need To Know
On March 2, 2021, Virginia Governor, Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law, officially making the state the latest to pass a comprehensive data privacy law since California and the California Privacy Rights Act (CPRA). The CDPA introduces several new requirements relating to the processing of personal data, establishes several definitions including precise geolocation data, sensitive data, and the sale of personal data, and grants individuals a range of consumer rights including the right of access and the right to opt-out of targeted advertising, sale of personal data, and profiling. Additionally, organizations will be subject to vendor management obligations, including data processing agreements, as well as data security and data protection assessment requirements.
Related Reading: International: Comparing Virginia's CDPA with the CPRA and the GDPR
A Brief Overview of the CDPA
Scope of Application
The CDPA applies to persons that conduct business in the Commonwealth of Virginia or persons who produce products or services that are targeted at Virginia residents and meet one of the following requirements:
Processing or controlling personal data of at least 100,000 consumers in a calendar year
Processing or controlling the personal data of at least 25,000 consumers and deriving over 50% of gross revenue from selling that data.
However, there are a number of exemptions to the CDPA’s scope including for non-profit organizations and for information covered by sectoral laws such as the gramm-leach-bliley act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).
The CDPA defines personal data as any information that is linked or reasonably linkable to an identified or identifiable natural person.
Processing Sensitive Data
The CDPA introduces sensitive data as a new category of personal data. Such data has a heightened level of privacy protection under the CDPA and data controllers covered by the CDPA must obtain the affirmative consent of the data subject before processing activities including sensitive data commence.
Sensitive data includes a consumer’s personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Immigration or citizenship standing
- Genetic or biometric data
- Personal data from a known child
- Precise geolocation data
The CDPA provides consumers with the following rights:
- Right to access
- Right to correct inaccuracies
- Right to deletion
- Right to opt-out of:
- Sale of personal data
- Targeted advertising
- Right to appeal decisions
- Right to data portability
- Right to non-discrimination
These rights do not apply in an employment context as the CDPA does not apply to employee data.
Organizations that receive consumer requests must respond without undue delay and within 45 days with the possibility of a 45-day extension.
Enforcement and Penalties
The CDPA will be enforced by the Virginia Attorney General, who can issue maximum civil penalties of up to $7,500 per violation. Organizations have a cure period of 30 days to remedy violations of its provisions. All civil penalties, expenses, and attorney fees collected in relation to violations of the CDPA shall be paid into the consumer privacy fund. In addition, the CDPA does not provide consumers with a private right of action.
Virginia Consumer Data Protection Act Webinar
Privacy experts from OneTrust DataGuidance were joined by an expert panel from Woods Rogers for a reactionary webinar following the passing of the CDPA to take a closer look at the newly introduced Virginia law. In this webinar, we will discuss first impressions of the new law, the benefits and challenges it may present, and a potential timeline and future predictions for the Act.
Key takeaways include:
- Initial reaction to the CDPA
- Key obligations for organizations and comparison to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
- Future predictions for the Act and its status in the legislative cycle
Further Virginia Consumer Data Protection Act Resources
- OneTrust Blog: Virginia’s Consumer Data Protection Act Signed into Law
- OneTrust DataGuidance News: Virginia: Governor signs CDPA into law
- OneTrust DataGuidance Video: USA State Privacy Bill Developments: What You Need To Know
- OneTrust DataGuidance Portal: Virginia Consumer Data Protection Act (CDPA)