What to know about the CDPA

Proactive management of data privacy compliance to handle challenging CDPA requirements

CYTRIO - Virginia CDPA

What is the CDPA?

CYTRIO - Virginia

On March 2, 2021, Virginia became the second state to pass a privacy law behind California (CCPA, CPRA). Virginia’s Consumer Data Protection Act (CDPA) protects the personal information of Virginia residents and will be enforced starting January 1, 2023. Following the shadow of CCPA/CPRA, CDPA structures its law similarly but has its own revisions and provisions. The law applies to any for-profit organization doing business in Virginia that collect consumers’ personal information and meets one of the following thresholds:

  • Controls or processes the personal data of 100,000 or more
  • Controls or processes the personal data of at least 25,000 consumers and earns 50% of its revenue by selling personal information
There are several exemptions to CDPA separated into two main categories: Entity-Level and Data-Level. Entity-Level:
  • A body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision
  • Any financial institution or data subject to the Gramm-Leach-Bliley Act (GLBA)
  • A covered entity or business subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act)
  • A nonprofit organization
  • Specific data sets regulated by GLBA, the Fair Credit Reporting Act FCRA, the Drivers Privacy Protection Act (DPPA), the Farm Credit Act, and the Family Educational Rights and Privacy Act (FERPA)

Consumer Rights under the CCPA

The right to access

The right to delete

The right to correct

The right to opt-out

The right to data portability

The right to appeal

Best Practices: How to Comply

Compliance starts with a strategic plan and checklist. Below are a few tips to get going:

Establish and update your privacy policy to acknowledge that you are aware of CDPA

Review legal basis for processing personal data

Document all data that is collected/processed

Data map personal information fields to each internal database

Appoint a person/team/Data Protection Officer who can own data privacy best practices and respond to incoming Data Subject Access Request (DSARs)

Meet proper deadlines

Audit/create reports to show reporters your data landscape, proof of purpose, and all DSARs completed to date.

Understand all exemptions under CDPA

Decipher between data definitions as they differ between state laws

What are the fines and penalties for non-compliance?

Non-Compliance Civil Penalty
Maximum $7,500 per offense

How does Virginia’s CDPA compare to
California CPRA?

  • The right to know what personal information is sold or shared and to whom
  • The right to delete personal data and the personal data collected from third parties
  • The right to opt-out of sale or sharing of personal information
  • The right to non-discriminate
  • The right to appeal
  • The right to know what personal information is sold or shared and to whom
  • The right to delete personal data and the personal data collected from third parties
  • The right to opt-out of sale or sharing of personal information
  • The right to non-discriminate
  • The right to correct inaccurate information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to opt-out of automated decision-making technology
Who Must Comply: Organizations that conduct business or produce commercial products or services that are intentionally targeted to residents and that either:
  • Control or process the personal data of 100,000 or more
  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information
  • Gross Revenue >$25 million
  • Buy, receive, sell, or share the personal information of more than 100,000 consumers, households, or devices for commercial purposes
  • Derive 50 percent or more of its annual revenues from selling or sharing consumers’ personal information
Fines Maximum $7,500 per offense
  • Unintentional Non-Compliance Civil Penalty: Maximum $2,500 per offense
  • Intentional Non-Compliance Civil Penalty: Maximum $7,500 per offense
  • Consumers can file private lawsuits for between $100 to $750 damages or for actual damages
Links No Websites must have “Do not sell my personal information” link and “Limit the use of my personal information” link
Enforcement VA Attorney General CA Attorney General + California Privacy Protection Agency
Minors - Organizations must notify minors under 16 years of age if they intend to sell or share their personal data
Cure Period (Fines) None No Cure period (CCPA has a 30 Day Cure Period)
Minor Fines - automatic $7,500 fine per violation involving the personal information of minors
Private Right of Action NO YES – but limited
12-Month Lookback NO YES – Starting January 1, 2022

Frequently Asked Questions

The CDPA, which provides comprehensive data privacy to Virginia residents, was signed into law in March 2021 by Governor Ralph Northam and goes into effect January 1st, 2023. Virginia became the second U.S. state to put strict privacy law on the books.

CDPA provides consumers control and protection over their personal data. Under CDPA “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information.

This includes, but is not limited to name, address, social security number, telephone numbers, driver’s license number, credit card numbers and more. It also includes subcategories such as biometric identifiers (e.g., fingerprints) and other unique identifiers used by the consumer (e.g., pets’ IDs). Detailed information about CDPA can be found at https://www.consumer.virginia.gov/

Virginia consumer privacy enforcement is the responsibility of the Virgina Attorney General. A company can be fined by the state of Virgina up to $7,500 per violation.

VCDPA is important as it puts many data privacy protection concerns in the hands of consumers. The regulation ensures that all customers have access to their online user records at any time and lists what information is considered personal in the state of Virginia. CDPA helps improve data protection of consumers because it sets boundaries for companies who want to conduct business in Virginia while also protecting citizens’ privacy.

The Virgina Consumer Data Privacy Act is important to both Virginia residents and any business that maintains digital records on Virginia residents. The implications hit a broad range of individuals and businesses, including persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Consumer Rights
Consumers are provided multiple rights under CDPA including:

  • Right to access – To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data
  • Right to correct – Consumers have the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data
  • Right to delete – consumers have the right to delete personal data provided by or obtained about the consumer
  • Right to portability – Consumers have the rights to obtain a copy of the personal data in a portable format.
  • Right to opt-out – Consumers have the right to opt out of processing of their private information.
  • Right to appeal – Consumers have a right to appeal any information request denied by a company.


Data Controller Responsibilities
CDPA requires the controller to comply with a request by a consumer to exercise the consumer rights authorized pursuant to subsection A as follows:

  • A controller shall respond to the consumer within 45 days of receipt of the request. The response period may be extended once by 45 additional days when reasonably necessary.
  • If a controller declines to act regarding the consumer’s request, the controller shall inform the consumer within 45 days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.
  • If a controller is unable to validate the identity of the requestor, the controller shall not be required to comply with a request and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer’s request.
  • A controller shall establish a process for a consumer to appeal the controller’s refusal to act on a request within a reasonable period of time after the consumer’s receipt of the decision.
  • Controller shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
  • Not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes, unless the controller obtains the consumer’s consent.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights.
  • Not process sensitive data concerning a consumer without obtaining the consumer’s consent.
  • Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
    • The categories of personal data processed by the controller.
    • The purpose for processing personal data.
    • How consumers may exercise their consumer rights.
    • The categories of personal data that the controller shares with third parties, if any; and
    • The categories of third parties, if any, with whom the controller shares personal data.
  • A controller shall establish, and shall describe in a privacy notice (i.e., privacy policy), one or more secure and reliable means for consumers to submit a request to exercise their consumer rights.

CDPA Enforcement and Civil Penalties

The Attorney General of Commonwealth shall have exclusive authority to enforce CDPA privacy laws.

To avoid action by the Attorney General, the Controller or processor has 30 days from receipt of a written notice to cure any violation or alleged violation, and provide the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur. If a controller or processor continues to violate provisions of CDPA following the cure period or breaches an express written statement provided to the Attorney General, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation.

Additionally, the Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees.

CYTRIO is helping all organizations meet the burden of the Virginia Consumer Data Protection Act (CDPA) with a comprehensive privacy rights management platform. Using CYTRIO, organizations can eliminate 80%+ of manual tasks required by Virginia CDPA, resulting in significant time and cost-saving, with CDPA compliance response times and to reduce the risk of regulatory fines, all the while building consumer trust.

Using CYTRIO privacy compliance platform, organizations can operationalize and automate Privacy Right Management , enabling organizations to meet a complex set of CDPA compliance requirements through a secure data request intake portal, identity verification, AI-driven private data discovery, classification, identity correlation, data subject access request (DSAR) response orchestration, and detailed audit records. Learn more on CYTRIO’s NextGen Privacy Rights Management Solution.

Virginia Attorney General

Any individual who has a permanent address in Virginia

Customers of household goods and services, employees, and those who make business-to-business transactions

Yes, if you have a customer/client who resides Virginia

How often can a consumer submit a DSAR? Consumers may only make information requests twice a year and only for a 12-month look-back

An individual whose data is collected and processed

 An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form

The process of matching fields from one database to another

A person who determines the purposes and means of the processing of personal data

A third-party who processes personal data on behalf of the controller

A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship

All-in-one Data Privacy Compliance Platform

Before you leave why don't you grab your Free Cookie Report