Full Guide to Virginia’s Consumer Data Protection Act (CDPA)
The Virginia Consumer Data Protection Act (CDPA) was introduced on January 1, 2021 to the House of Delegates and was signed into law by Governor Ralph Northam on March 2, 2021.
The CDPA became the second comprehensive data privacy law to be adopted in the US after the CCPA. While the CCPA and CDPA share similarities when it comes to data privacy and protection, some important differences remain mostly about the scope of the protected data, the B2B data exemption, or the requirement for data protection assessments.
Click here to access the full official text of the CDPA.
The CDPA is scheduled to go into effect on January 1, 2023.
The CPDA currently applies to for-profit entities that:
(i) conduct business in Virginia or offer products or services targeted to residents in Virginia and,
(ii) control or process the data of at least 100,000 consumers or,
(iii) control or process the data of at least 25,000 consumers and derive more than 50% of revenue from the sale of personal data.
Covered Personal Information
The CDPA defines “personal data” as any information that is linked or reasonably associated to an identified or identifiable natural person — also includes households.
Under this Virginia Data Privacy Law, consent is required to process “sensitive data” which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, biometric data, personal data collected from a known child, and precise geolocation data.
Anonymous, De-identified, Pseudonymous, or Aggregated Data
This data privacy law explicitly excludes “de-identified data or publicly available information, “but not pseudonymous information.
Sensitive data is provided greater protection and includes personal data collected from children. Businesses that comply with verifiable parental consent requirements under the Children’s Online Privacy Protection Act are deemed compliant with the CDPA obligations to obtain parental consent.
The CDPA does not expressly require businesses to display a privacy notice at or before the point of the collection of personal data, nor does it require businesses to provide a “do not sell my information” link.
This regulation introduced the following consumer rights:
- Right to know, access, and confirm
- Right to deletion
- Right to opt-out of sale (defined as the exchange of personal data for monetary consideration)
- Right to opt-out of processing for targeted advertising
- Right to opt-out of profiling
- Right to nondiscrimination
- Right to data portability
- Right to rectification/correction
The CDPA requires controllers to enter into contracts with processors to govern the processing of personal data by a processor on behalf of the controller.
The contract should include:
- The type of data,
- The duration of processing,
- The rights and obligations of both parties, with specific obligations for the processor.
Data Protection Assessments
The regulation requires Data Protection Assessments for the following processing activities:
- The processing of personal data for targeted advertising,
- The sale of personal data,
- The processing of personal data for purposes of profiling,
- The processing of sensitive data,
- Processing activities involving personal data that present a heightened risk of harm to consumers.
The CDPA will be enforced by the Attorney General of Virginia.
Private Right of Action
The CDPA does not contain a provision for private rights of action.
Penalties and Damages
Under this privacy framework, civil penalties up to $7500 per violation, injunctive relief, and recoupment of investigation and case preparation expenses, including attorney fees, incurred by the Attorney General.
The CDPA does not provide a cure period.
The CDPA specifies the following exemptions:
- Individuals acting in a commercial or employment context,
- Financial institutions subject to GLBA,
- Health Care entities HIPAA.
Under the CDPA, a controller that uses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of contractual commitments.
Securely processing personal data, taking into account the nature of processing information available to the processor, and complying with security breach notification requirements pursuant to § 18.2-186.6 in order to meet the controller’s obligations.