On March 2, 2021, Virginia became the second state to pass a privacy law behind California (CCPA, CPRA). Virginia’s Consumer Data Protection Act (CDPA) protects the personal information of Virginia residents and will be enforced starting January 1, 2023. Following the shadow of CCPA/CPRA, CDPA structures its law similarly but has its own revisions and provisions. The law applies to any for-profit organization doing business in Virginia that collect consumers’ personal information and meets one of the following thresholds:
The right to access
The right to delete
The right to correct
The right to opt-out
The right to data portability
The right to appeal
Establish and update your privacy policy to acknowledge that you are aware of CDPA
Review legal basis for processing personal data
Document all data that is collected/processed
Data map personal information fields to each internal database
Appoint a person/team/Data Protection Officer who can own data privacy best practices and respond to incoming Data Subject Access Request (DSARs)
Meet proper deadlines
Audit/create reports to show reporters your data landscape, proof of purpose, and all DSARs completed to date.
Understand all exemptions under CDPA
Decipher between data definitions as they differ between state laws
The CDPA, which provides comprehensive data privacy to Virginia residents, was signed into law in March 2021 by Governor Ralph Northam and goes into effect January 1st, 2023. Virginia became the second U.S. state to put strict privacy law on the books.
CDPA provides consumers control and protection over their personal data. Under CDPA “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information.
This includes, but is not limited to name, address, social security number, telephone numbers, driver’s license number, credit card numbers and more. It also includes subcategories such as biometric identifiers (e.g., fingerprints) and other unique identifiers used by the consumer (e.g., pets’ IDs). Detailed information about CDPA can be found at https://www.consumer.virginia.gov/
Virginia consumer privacy enforcement is the responsibility of the Virgina Attorney General. A company can be fined by the state of Virgina up to $7,500 per violation.
VCDPA is important as it puts many data privacy protection concerns in the hands of consumers. The regulation ensures that all customers have access to their online user records at any time and lists what information is considered personal in the state of Virginia. CDPA helps improve data protection of consumers because it sets boundaries for companies who want to conduct business in Virginia while also protecting citizens’ privacy.
The Virgina Consumer Data Privacy Act is important to both Virginia residents and any business that maintains digital records on Virginia residents. The implications hit a broad range of individuals and businesses, including persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Consumer Rights
Consumers are provided multiple rights under CDPA including:
Data Controller Responsibilities
CDPA requires the controller to comply with a request by a consumer to exercise the consumer rights authorized pursuant to subsection A as follows:
CDPA Enforcement and Civil Penalties
The Attorney General of Commonwealth shall have exclusive authority to enforce CDPA privacy laws.
To avoid action by the Attorney General, the Controller or processor has 30 days from receipt of a written notice to cure any violation or alleged violation, and provide the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur. If a controller or processor continues to violate provisions of CDPA following the cure period or breaches an express written statement provided to the Attorney General, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation.
Additionally, the Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees.
CYTRIO is helping all organizations meet the burden of the Virginia Consumer Data Protection Act (CDPA) with a comprehensive privacy rights management platform. Using CYTRIO, organizations can eliminate 80%+ of manual tasks required by Virginia CDPA, resulting in significant time and cost-saving, with CDPA compliance response times and to reduce the risk of regulatory fines, all the while building consumer trust.
Using CYTRIO privacy compliance platform, organizations can operationalize and automate Privacy Right Management , enabling organizations to meet a complex set of CDPA compliance requirements through a secure data request intake portal, identity verification, AI-driven private data discovery, classification, identity correlation, data subject access request (DSAR) response orchestration, and detailed audit records. Learn more on CYTRIO’s NextGen Privacy Rights Management Solution.
Virginia Attorney General
Any individual who has a permanent address in Virginia
Customers of household goods and services, employees, and those who make business-to-business transactions
Yes, if you have a customer/client who resides Virginia
How often can a consumer submit a DSAR? Consumers may only make information requests twice a year and only for a 12-month look-back
An individual whose data is collected and processed
An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form
The process of matching fields from one database to another
A person who determines the purposes and means of the processing of personal data
A third-party who processes personal data on behalf of the controller
A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship