On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law. The CDPA, which takes effect on January 1, 2023, blends familiar principles from the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the European Union’s General Data Protection Regulation (GDPR). In light of the differences between Virginia’s CDPA and other privacy laws like the CCPA and CPRA, now is a great time for companies to explore the potential impact of the CDPA, develop a strategy for achieving business goals in light of the ever growing patchwork of privacy requirements, and prepare to implement those strategic choices before the relevant deadlines.
Key features of the CDPA
- Coverage. The CDPA applies to for-profit entities that conduct business in Virginia, or target their products and services to Virginia residents, and that either:
- control or process personal data of at least 100,000 Virginia consumers during any calendar year; or
- control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale (which is broadly defined) of personal data.
Personal data is defined under the CDPA to include any information that is linked or reasonably linkable to an identified or identifiable natural person, even if the entity lacks the information necessary to contact that person.
- Exemptions. The CDPA recognizes several entity and data-specific exceptions, such as data controlled under HIPAA and the GLBA, and exemptions for employee and business-to-business data.
- Consumer Rights. The CDPA grants Virginia consumers broad new rights of access, correction, deletion, portability, the right to opt-out of the sale of their personal information, as well as the right to opt-out of targeted advertising and automated decision making. These rights are broad, and they will materially impact how many companies do business, from advertising to relying on artificial intelligence or machine learning. Consumers can also appeal denials of their privacy requests.
- Business Obligations. The CDPA imposes requirements regarding data minimization, data security and third-party contracting, and limitations on how personal information can be used, which also apply to vendors and suppliers to covered entities even if those vendors or suppliers would not otherwise be subject to the CDPA.
- Enforcement. The Virginia Attorney General has exclusive enforcement authority of the CDPA, requiring the AG to provide 30 days’ notice of violations with an opportunity to cure and authorizing the AG to seek $7,500 per uncured violations. Importantly, the CDPA does not provide consumers with a private right of action.