The Virginia Consumer Data Protection Act (CDPA) is the second comprehensive data privacy regulation to pass in the US, behind California’s CCPA. Other states have also proposed data privacy legislation this year, including Florida, Oklahoma, and Washington, to name a few. If these laws pass, businesses will have a busy next couple of years preparing. And having multiple state privacy laws in effect could lend further argument to the need for a federal privacy law.
The CDPA becomes effective in January 2023.
The CDPA will apply to businesses that control or process personal information of at least 100,000 consumers (defined as Virginia residents) or those businesses that control or process the data of at least 25,000 consumers AND make 50% or more of their gross revenue from the sale of personal data.
The CDPA exempts businesses that are subject to HIPAA, GLBA, and other regulations. This is a broader exemption than the CCPA, which applies to information covered by those requirements but not the organization.
The CDPA has fine amounts up to $7,500 per violation.
The CDPA will be enforced by the Virginia Attorney General, and there will be a Consumer Privacy Fund to ensure resources are allocated for enforcement. Notably, there is not a private right of action.
There is a 30-day “Right to Cure” of potential violations. It appears states are continuing to give businesses the ability to right any potential wrongs, given this type of legislation is relatively new compared to other regulations and obligations businesses face.
Consumers will have the ability to access, correct, delete, and receive a copy of their personal data.
Consumers can opt-out of the processing of personal data in the context of targeted advertising under the CDPA. If a business has not already done so, this will likely require some form of cookie notice and the ability for the consumer to stop cookies and trackers from being placed when they visit a website.
Businesses will also be required to make additional disclosures surrounding their personal data processing activities, the rights, and how consumers may exercise their rights.
Businesses are also required to perform impact assessments to ensure they are not infringing upon a consumer’s privacy rights with their processing activities, have implemented appropriate technical and security controls, and have appropriate agreements in place with vendors (referred to as “processors” under the CDPA).
As outlined, the CDPA is not effective until January 2023, so businesses will have time to prepare. Businesses that have been subject to the CCPA that have a program in place to comply will likely be able to rely upon existing controls and frameworks with some tweaks here and there to comply with the CDPA.