Virginia just became the second state to pass a comprehensive privacy law, the Consumer Data Protection Act (“CDPA”). Business and privacy professionals should evaluate the ramifications: what does it require, who does it apply to, and what are the penalties?

The CDPA is set to go into effect January 1, 2023, and gives consumers the rights to opt-out of the processing of their personal data for targeted advertising or profiling; to confirm if their data is being processed; to amend inaccuracies; to delete their personal data; to data portability; and to appeal a controller’s decisions regarding any of the above. Although these are not novel privacy rights, the CDPA will bring many businesses under the purview of robust state privacy law for the first time.

To determine if a business is covered by the CDPA, first look to its exemptions: agencies, authorities, boards, bureaus, commissions, districts, or political subdivisions of the state are all exempt. So are entities that are subject to the Graham-Leach-Blikey Act or HIPAA, non-profit organizations, and institutions of higher education.

If an entity is not in one of the exempt categories, the new obligations apply to any entity, called a “data controller,” that:

Conducts business in Virginia or produces products or services that are targeted to Virginia residents; and either
Controls or processes the personal data of at least 100,000 consumers in a calendar year; or
Derives at least 50% of its gross revenue from the sale of personal data

These thresholds are high, and are designed to target companies with a lot of consumer data, rather than just companies that are simply large. This is evident in that there is no gross revenue threshold that would qualify a large company that does not process much user data, unlike several other proposed state laws.

By definition, a “consumer” is “a natural person who is a resident of the Commonwealth acting only in an individual or household context.” In simple terms, the CDPA does not apply to employee data, or personal information that is collected by employers in the course of business. Thus, employers would not count employees in determining if they meet the 100,000 consumer threshold. The CDPA also defines “sale of personal information” to mean, with a few exceptions, “the exchange of personal data for monetary consideration by the controller to a third party.” Personal data also excludes any information that is de-identified or publicly available. This definition differs from the CCPA.

For “controllers” targeted by this law, the CDPA mandates that they provide consumers with a privacy notice; establish, implement, and maintain reasonable security practices to protect the consumer’s data; conduct and document data protection assessments; and use contracts to police compliance by any data vendors (“data processors”). Such businesses will need to evaluate their privacy policies, security practices and business and vendor contracts to ensure that they and their affiliates can comply with the CDPA.

The CDPA also has a new requirement to conduct “data impact assessments.” The first of its kind in the US, these assessments will likely look similar to a data protection impact assessment under the GDPR.

As for the penalties: if a company fails to meet any of the above provisions, enforcement will fall to the Attorney General of Virginia. More guidance in the coming two years will illuminate the enforcement details. Nevertheless, the law currently guarantees controllers a 30-day cure period for any violations. Once this law takes effect, if a controller does not cure a violation in the 30-day period, the Attorney General can fine them up to $7,500 per violation.

Written by: Ryan W. McBride & Philil M.Nelson