What Is CDPA?
Protect the personal data of consumers in the Commonwealth of Virginia
Virginia’s New Consumer Data Protection Act (CDPA)
Virginia’s new data protection law, CDPA, provides data rights for Virginia consumers — in the spirit of GDPR, CCPA, and the Washington Privacy Act before it – and places new obligations on data controllers and processors.

Who Is Impacted by CDPA?
CDPA applies to anyone that conducts business in the Commonwealth of Virginia — or produces products or services for Virginia residents.
CDPA regulates companies that control or process the personal data of at least 100,000 VA consumers per year.
That number drops to 25,000 consumers if the company receives more than 50% of their revenue from the sale of these VA consumers’ personal data.

CDPA Personal Data
CDPA borrows its definition of “personal data,” from GDPR, as “any information that is linked or reasonably linked to an identified or identifiable natural person.”
CDPA also takes a page from GDPR’s book when it comes to how it defines consent. It takes an opt-in approach and requires that consent be clear, affirmative, specific, and informed.
For CDPA compliance, businesses need to be able to discover and inventory all their sensitive and personal data belonging to an identity.

CDPA Consumer Rights
Virginia consumers’ rights with respect to personal data include the right to access, correction, deletion, data portability, and the right to opt out of having their data processed for advertising purposes — or having it sold to third parties.
Companies must be able to quickly and effectively fulfill consumer data rights requests at scale, enable correction workflows, and track and document preference management, consent, and all third-party data sharing.

CDPA Exemptions
The CDPA includes exemptions for protected health information (PHI) under HIPAA, nonpublic personal information (NPI) under GLBA, and personal data regulated by FCRA and FERPA — plus 10 more categories of information.
Organizations need to automatically classify regulated data according to sensitivity and type — and create custom classifiers for specific policies.

CDPA Compliance Tips
-
Identify and Map All Your Data
Automatically find, identify, and classify all your personal and sensitive data wherever it lives — on-prem, in the cloud, and hybrid — across all data sources, at petabyte scale.
-
Fulfill DSARs
Automate the fulfillment of data requests at scale, enable correction workflows, report on activity, and react to regulatory requirements.
-
Clean Up Your Data
Minimize duplicate, similar, and redundant data; fix data quality issues; and automate workflows based on retention timelines.
-
Achieve Compliance
Maintain detailed records of information systems, stay on top of audits, and annually report on CDPA compliance.
BigID for CDPA Compliance
-
Discovery-in-Depth
Discover all personal, sensitive, and regulated data — wherever it’s stored across the enterprise.
-
Next-Gen Data Classification
Take an ML-based approach to automatically classify and tag high-risk data that is regulated by CDPA.
-
Data Remediation App
Remediate personal and sensitive data regulated by CDPA, and manage high-risk data with remediation workflows and audit trails.
-
Data Retention App
Leverage retention policies and business rules, define custom policies, and apply them consistently across all data types and sources.