Virginia may have been the 10th state in the US, but they’re the 2nd state after California to pass data privacy legislation into law.

Click here to download the checklist – or continue for details on how businesses can prepare for the Virginia Consumer Data Privacy Act (CDPA).

CDPA Overview

The Virginia Consumer Data Privacy Act (CDPA) was enacted on January 1, 2023. The new legislation puts data rights into the hands of Virginia consumers and places new obligations on data controllers and processors, which applies to anyone that conducts business in the Commonwealth of Virginia – or produces products or services for Virginia Residents.

Who Does the Consumer Data Privacy Act Protect?

The law protects any individual who is a Virginia resident or household that can reasonably be identified.

The legislation was designed to protect Virginia consumers and motivate (and enforce) all organizations that process Virginia resident information to be accountable for data privacy protection and properly safeguarding consumer data.

Territorial Scope of the CDPA

Any company that collects personal data and conducts business in the Commonwealth of Virginia or produces products or services targeting Virginia residents must comply with CDPA. The CDPA sets boundaries on the amount of data collected, processed, and monetized with these specific terms:

  • Any business that controls or processes the personal data of 100,000 or more Virginia consumers within a year
  • Any business that controls or processes the personal data of at least 25,000 consumers and obtains over 50% of gross revenue from the sale of personal data.

CDPA Penalties & Enforcement

  • The Virginia CDPA does not provide a private right of action, meaning that Virginia citizens cannot take legal action for CDPA violations.
  • The Virginia attorney general exclusively manages the enforcement of CDPA.
  • If a controller fails to comply, it can result in a fine of up $7,500 per violation. The controller must resolve the situation and provide a written notification stating the breach and the resolution.

CDPA Consumer Data Rights

  • right of access: consumers can submit a data subject access request (DSAR) to gain access to their personal information, which also includes a right to confirm whether an organization is processing consumer’s personal data
  • right to correction: companies must offer consumers the ability to update and correct inaccurate information a company may have about them.
  • right to deletion: Consumers have the right to request that their data be deleted (or reasonably quarantined)
  • right to data portability: Consumers must have their data transferred safely and securely between systems.
  • right to opt-out: Consumers can opt-out of data processing for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Organizations must take action on consumer requests within 45 days of receipt and establish an appeal process when a consumer request is not completed.

What the CDPA Means for Organizations

The CDPA, similar to CPRA, has specific requirements for data minimization, retention policies, and data protection impact assessments (DPIA) to mitigate privacy risk:

  • Data Minimization: CDPA requires organizations to implement data minimization principles to limit data processing beyond a necessary purpose.
  • Data Retention Policies: Businesses must apply retention policies to ensure data is kept that is reasonably necessary.
  • Privacy Risk Assessments: For businesses to properly evaluate risk, CDPA requires organizations to conduct data protection impact assessments (DPIA) when:
    • Processing data for targeted marketing
    • Selling personal data
    • Processing data for profiling
    • Processing sensitive data
    • Any processing activity that presents a risk to consumers

Organizations Personal Data Responsibilities Under CDPA

Personal data under CDPA refers to information linked or reasonably linked to identifying a natural person in Virginia. But this does exclude publicly accessible and de-identified data — and the law sets specific standards on how to manage de-identified data.
Organizations are only allowed to process sensitive data with the consent of consumers or “parental consent” when it relates to children’s data following the Children’s Online Privacy Protection Act (COPPA).

CDPA defines sensitive data as:

  • Race or ethnicity, religious beliefs, citizenship, or immigration status
  • Biometric or genetic data
  • Children’s data
  • Geolocation data

CDPA Checklist

Download the CDPA compliance checklist to prioritize the right actions to become CDPA compliant, including how to:

How BigID Helps with the CDPA

BigID helps organizations achieve compliance with privacy regulations like CDPA. Leverage BigID to comply with CDPA using data protection impact assessments, a self-service portal, automated DSAR fulfillment, and regulatory reporting to simplify privacy compliance. With BigID, organizations can:

See how BigID helps organizations manage compliance expectations for CDPA – from DSARs fulfillment to privacy risk assessmentsGet a demo