Skip to Content

The Virginia General Assembly is on track to pass the Virginia Consumer Data Protection Act (CDPA). In many ways, this consumer privacy legislation mirrors California’s groundbreaking Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR).

If passed, Virginia’s bill will add to the patchwork of state privacy bills popping up around the country in the absence of a comprehensive federal privacy law.

On January 29, the House of Delegates approved HB 2307, and its companion bill 1392 passed in the Virginia Senate on February 5, 2021. The bill will now undergo reconciliation before enactment. Governor Northam could sign the bill into law by the end of February. If signed, the act will go into effect on January 1, 2023.

CDPA’s similarities to CCPA and GDPR

Like the CCPA and GDPR, Virginia’s CDPA would create a number of personal data rights for consumers. “Consumers” include natural persons residing in Virginia, and “personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable person.”

The law would apply to any entity that conducts business in Virginia or produces products or services targeted to Virginia and either:

  • Controls or processes personal data of at least 100,000 consumers
  • Derives over 50% of gross revenue from the sale of personal data and processes or controls personal data of at least 25,000 consumers

If enacted, the CDPA will require covered entities to disclose what personal data they collect, as well as the means and purposes for their collection.

The bill incorporates GDPR’s “data minimization” standard, requiring covered entities to limit their collection and processing of personal data to only what is adequate, relevant, and reasonably necessary for the disclosed purposes.

VA CDPA Bill of Rights

Covered entities will also be required to inform consumers of their rights under the CDPA. The proposed law would give consumers the right to:

  • Know what personal data an entity holds on them
  • Correct inaccuracies in their personal data held by an entity
  • Require the entity delete their personal data
  • Opt out of the sale of their personal data, as well as any processing for targeted advertising or profiling that significantly effects the consumer

Data processing assessment will be a requirement

Entities that sell personal data, process sensitive data, or process personal data for targeted advertising must also conduct and document a data processing assessment.

This self-evaluation will require entities give attention to implementing and continually evaluating their administrative, technical, and physical data security practices to ensure the protection of the confidentiality, integrity, and accessibility of personal data.

For now, no private right of action

Notably, in its current form the bill does not grant consumers a private right of action.

Enforcement would be through the Virginia Attorney General (AG). The bill also provides a 30-day cure period for any violations identified by the AG. Violations would be subject to a maximum civil penalty of $7,500 per violation.

Pay extra attention to the opt-out provision

Businesses that have been building compliance for the CCPA are on track for complying with major portions of the CDPA. However, the opt-out provision goes further than the CCPA’s, allowing a consumer to opt-out of not only the sale of data, but also targeted advertising and forms of profiling. If enacted, companies must give this provision special attention to ensure compliance. 

California, Nevada, and Maine have already enacted data privacy legislation, with Washington, New York, Minnesota, and Oklahoma also considering introduced bills in their respective current legislative sessions this year.

Our Privacy, Cybersecurity, and Data Management will continue to monitor state and federal developments on this front.