Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) on Tuesday, March 2, 2021. Virginia now joins California as the second state to have a data privacy law. The law takes effect on January 1, 2023, so businesses have some time to get ready. In our previous article on the proposed legislation, we described the new consumer rights available, the lack of a private right of action, and detailed which businesses will have to comply with the new law. In addition to providing consumers with their rights regarding their data, the CDPA requires transparent processing of personal data through a privacy notice, which must include the following:
In addition, if a controller sells personal data to data brokers or processes personal data for targeted advertising, controllers must disclose such processing to consumers and inform them about how a consumer may exercise the right to object to such processing, in a clear and conspicuous manner.
Finally, the new law requires controllers to conduct a risk assessment of each of their processing activities involving personal data and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers.