On March 2, 2021, Governor Northam made Virginia the second state in the U.S. to enact a comprehensive privacy law, Virginia's Consumer Data Protection Act (CDPA). We will follow-up with more discussion on how this impacts your business in the lead-up to the law's effective date (January 1, 2023, the same as CPRA), but here are a few highlights:
- Individuals protected: CDPA regulates data related to Virginia residents in their individual or household capacity. It specifically exempts individuals acting in a commercial or employment context (i.e., B2B or employee data).
- Regulated entities: CDPA regulates "controllers" and "processors" that meet this test: individuals or entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and meet one of two thresholds: (1) control or process personal data of at least 100,000 consumers or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of that data. CDPA does not apply to Commonwealth agencies or political subdivisions of the Commonwealth, entities or data subject to the Gramm-Leach-Bliley Act, covered entities or business associates governed by HIPAA, non-profits or institutions of higher education.
- Enforceability: CDPA does not include a private right of action. The law may only be enforced by the Virginia Attorney General's Office. Entities have a 30-day notice and cure period to remedy any violations of the law before the AG can initiate an enforcement action.