Governor Signs Virginia Consumer Data Protection Act

Woods Rogers PLC

Woods Rogers PLC

[co-author: John Pilch]

The Virginia Consumer Data Protection Act (CDPA, or “the Act”) makes Virginia the second state in the nation to have sweeping data privacy legislation. Nationally the CDPA could drive conversations around consumer data privacy and potentially spark discussions of a federal privacy law.

Effective January 1, 2023, the Act echoes the provisions of GDPR (the European Union’s General Data Protection Regulation), California’s Consumer Privacy Act (CCPA – which is now in effect), and California’s Privacy Rights Act (effective January 1, 2023).

What does the CDPA do?

The CDPA grants various rights to consumers:

  • To “confirm” the personal data being processed by a business
  • To obtain a copy of that data
  • To request the business delete their personal data
  • To opt-out of the processing of their personal data for targeted advertising, sale, or consumer profiling

It requires covered businesses:

  • Collect personal information only for a specific purpose
  • Limit the amount and kind of personal information collected to that which is adequate, relevant, and reasonably necessary to fulfill the purpose
  • Not to use the personal information for an unrelated purpose
  • Provide a privacy notice to consumers
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data

Who does the CDPA cover?

The Act covers businesses who “conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”

Remember “conducting business” in the age of e-commerce can mean simply operating a website that serves Virginia residents. Therefore, if a business has a website that processes personal information of at least 100,000 Virginia residents and is not subject to an exemption, it will fall under the statute and need to comply.

Who is exempt from CDPA coverage?

Several groups of businesses are exempt from CDPA, including those who fall under HIPAA or Graham-Leach-Bliley financial regulations, nonprofit organizations, institutions of higher education, and government entities in Virginia. We will have more information in future updates on the carve-outs for these industries.

What kind of “personal data” is covered by the CDPA?

The Act defines personal data as “any information that is linked or reasonably linked to an identified or identifiable natural person.” It does not include de-identified or publicly available data. Most notably, it does not include a “natural person acting in a commercial or employment context.” In other words, personal data applies almost strictly to consumer data and not business generated or employment data.

The Act further defines “sensitive data” as that data that could include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.

Business-to-business communications and contacts are specifically carved out, focusing instead on consumer-driven data collection. Similarly, photographs, videos, and audio recordings are exempt from the definition of biometric data.

What Steps Can a Business Take Now?

Rather than wait for January 1, 2023, all businesses, especially those with a national footprint, should begin the process of analyzing their data footprints and taking steps toward compliance with Virginia and California’s new enhanced privacy protections for consumers.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Woods Rogers PLC | Attorney Advertising

Written by:

Woods Rogers PLC

Woods Rogers PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.