Virginia’s New Privacy Law: Consumer Data Protection Act (CDPA)

Many U.S. states have been proposing and passing new privacy laws in recent years. Among the most powerful and wide-reaching of these laws is the Virginia Consumer Data Protection Act (CDPA).

The CDPA takes effect on 1 January 2023 and will impact many businesses operating in Virginia, imposing new consumer rights, rules on targeted advertising, and a requirement to conduct data protection assessments.

Who is covered by the CDPA?

The CDPA applies to “controllers”, which means any entity that either:

• Conducts business in Virginia, or
• Produces products or services that target Virginia residents

A controller also has to meet one of the following thresholds to be covered by the CDPA:

• It controls or processes the personal data of at least 100,000 Virginia consumers annually and/or
• It controls or processes the personal data of at least 25,000 Virginia consumers and derives at least 50% of its gross revenue from selling personal data.

As such, the CDPA applies to businesses all over the world—regardless of their turnover—that process the personal data of Virginians.

The CDPA’s Consumer Rights

The CDPA requires controllers to facilitate certain consumer rights, enabling Virginians to exercise greater control over their personal data.

The CDPA’s six consumer rights are:

• Right of access: You must provide a copy of any personal data you hold about a consumer on request.
• Right to correct: You must correct any inaccurate personal data you hold about a consumer on request.
• Right to delete: You must delete a consumer’s personal data on request.
• Right to data portability: On request, you must provide the consumer with a copy of their personal data in a portable and readily useable format.
• Right to opt out: You must allow consumers to opt out of:
  • Targeted advertising—this means implementing a compliant consent-management tool
  • The sale of their personal data
  • Being subject to profiling, to the extent that it advances decisions that product “legal or similarly significant effects”
• The right to appeal: You must allow consumers to appeal any decision to refuse a consumer rights request.

The CDPA’s Limits on collection and use

The CDPA imposes two principles on controllers:

• Limits on collection: You must only collect personal data that is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.”
• Limits on use: You must not unnecessarily process personal data for any purposes other than those that are compatible with the context in which you collected the personal data—unless you obtain the consumer’s consent.

Data Protection Assessments

Under the CDPA, controllers must conduct a data protection assessment to identify and weigh the benefits and risks of certain processing activities, including:

• Targeted advertising
• Selling personal data
• Profiling to advance decisions producing legal or similarly significant effects (such as credit applications).

Privacy Policy

The CDPA requires each controller to maintain a privacy policy detailing:

• The categories of personal data you process
• Your purposes for processing each category of personal data
• How consumers may exercise their rights
• Any categories of personal data you share with third parties
• Any categories of third parties with whom you share personal data.

Enforcement

The Virginia Attorney-General will offer controllers 30 days to correct any alleged infringements of the CDPA. If the violation is not corrected within 30 days, the Attorney-General may impose a fine of up to $7,500 per violation.

If you’d like to ensure your organisation is fully compliant in time for the introduction of CDPA you can speak to a member of our team today here.