What Is CDPA?

Protect the personal data of consumers in the Commonwealth of Virginia

Virginia’s New Consumer Data Protection Act (CDPA)

Virginia’s new data protection law, CDPA, provides data rights for Virginia consumers — in the spirit of GDPR, CCPA, and the Washington Privacy Act before it – and places new obligations on data controllers and processors.

Who Is Impacted by CDPA?

CDPA applies to anyone that conducts business in the Commonwealth of Virginia — or produces products or services for Virginia residents.

CDPA regulates companies that control or process the personal data of at least 100,000 VA consumers per year.

That number drops to 25,000 consumers if the company receives more than 50% of their revenue from the sale of these VA consumers’ personal data.

CDPA Personal Data

CDPA borrows its definition of “personal data,” from GDPR, as “any information that is linked or reasonably linked to an identified or identifiable natural person.”

CDPA also takes a page from GDPR’s book when it comes to how it defines consent. It takes an opt-in approach and requires that consent be clear, affirmative, specific, and informed.

For CDPA compliance, businesses need to be able to discover and inventory all their sensitive and personal data belonging to an identity.

CDPA Consumer Rights

Virginia consumers’ rights with respect to personal data include the right to access, correction, deletion, data portability, and the right to opt out of having their data processed for advertising purposes — or having it sold to third parties.

Companies must be able to quickly and effectively fulfill consumer data rights requests at scale, enable correction workflows, and track and document preference management, consent, and all third-party data sharing.

CDPA Exemptions

The CDPA includes exemptions for protected health information (PHI) under HIPAA, nonpublic personal information (NPI) under GLBA, and personal data regulated by FCRA and FERPA — plus 10 more categories of information.

Organizations need to automatically classify regulated data according to sensitivity and type — and create custom classifiers for specific policies.

Get a demo

CDPA Compliance Tips

  • Identify and Map All Your Data

    Automatically find, identify, and classify all your personal and sensitive data wherever it lives — on-prem, in the cloud, and hybrid — across all data sources, at petabyte scale.

  • Fulfill DSARs

    Automate the fulfillment of data requests at scale, enable correction workflows, report on activity, and react to regulatory requirements.

  • Clean Up Your Data

    Minimize duplicate, similar, and redundant data; fix data quality issues; and automate workflows based on retention timelines.

  • Achieve Compliance

    Maintain detailed records of information systems, stay on top of audits, and annually report on CDPA compliance.

Get a demo

BigID for CDPA Compliance

  • Discovery-in-Depth

    Discover all personal, sensitive, and regulated data — wherever it’s stored across the enterprise.

  • Next-Gen Data Classification

    Take an ML-based approach to automatically classify and tag high-risk data that is regulated by CDPA.

  • Data Remediation App

    Remediate personal and sensitive data regulated by CDPA, and manage high-risk data with remediation workflows and audit trails.

  • Data Retention App

    Leverage retention policies and business rules, define custom policies, and apply them consistently across all data types and sources.

Awards & Recognition