The Virginia Consumer Data Protection Act (CDPA, or “the Act”) makes Virginia the second state in the nation to have sweeping data privacy legislation. Nationally the CDPA could drive conversations around consumer data privacy and potentially spark discussions of a federal privacy law.

Effective January 1, 2023, the Act echoes the provisions of GDPR (the European Union’s General Data Protection Regulation), California’s Consumer Privacy Act (CCPA – which is now in effect), and California’s Privacy Rights Act (effective January 1, 2023).

What does the CDPA do?

The CDPA grants various rights to consumers:

  • To “confirm” the personal data being processed by a business
  • To obtain a copy of that data
  • To request the business delete their personal data
  • To opt-out of the processing of their personal data for targeted advertising, sale, or consumer profiling

It requires covered businesses:

  • Collect personal information only for a specific purpose
  • Limit the amount and kind of personal information collected to that which is adequate, relevant, and reasonably necessary to fulfill the purpose
  • Not to use the personal information for an unrelated purpose
  • Provide a privacy notice to consumers
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data

Who does the CDPA cover?

The Act covers businesses who “conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”

Remember “conducting business” in the age of e-commerce can mean simply operating a website that serves Virginia residents. Therefore, if a business has a website that processes personal information of at least 100,000 Virginia residents and is not subject to an exemption, it will fall under the statute and need to comply.

Who is exempt from CDPA coverage?

Several groups of businesses are exempt from CDPA, including those who fall under HIPAA or Gramm-Leach-Bliley financial regulations, nonprofit organizations, institutions of higher education, and government entities in Virginia. We will have more information in future updates on the carve-outs for these industries.

What kind of “personal data” is covered by the CDPA?

The Act defines personal data as “any information that is linked or reasonably linked to an identified or identifiable natural person.” It does not include de-identified or publicly available data. Most notably, it does not include a “natural person acting in a commercial or employment context.” In other words, personal data applies almost strictly to consumer data and not business generated or employment data.

The Act further defines “sensitive data” as that data that could include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.

Business-to-business communications and contacts are specifically carved out, focusing instead on consumer-driven data collection. Similarly, photographs, videos, and audio recordings are exempt from the definition of biometric data.

What Steps Can a Business Take Now?

Contact the Woods Rogers Cybersecurity & Data Privacy group to begin making a compliance timeline and plan. Rather than wait for January 1, 2023, all businesses, especially those with a national footprint, should begin the process of analyzing their data footprints and taking steps toward compliance with Virginia and California’s new enhanced privacy protections for consumers.