The CDPA, which provides comprehensive data privacy to Virginia residents, was signed into law in March 2021 by Governor Ralph Northam and goes into effect January 1st, 2023. Virginia became the second U.S. state to put strict privacy law on the books.

CDPA provides consumers control and protection over their personal data. Under CDPA “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information.

This includes, but is not limited to name, address, social security number, telephone numbers, driver’s license number, credit card numbers and more. It also includes subcategories such as biometric identifiers (e.g., fingerprints) and other unique identifiers used by the consumer (e.g., pets’ IDs). Detailed information about CDPA can be found at https://www.consumer.virginia.gov/

Virginia consumer privacy enforcement is the responsibility of the Virgina Attorney General. A company can be fined by the state of Virgina up to $7,500 per violation.

VCDPA is important as it puts many data privacy protection concerns in the hands of consumers. The regulation ensures that all customers have access to their online user records at any time and lists what information is considered personal in the state of Virginia. CDPA helps improve data protection of consumers because it sets boundaries for companies who want to conduct business in Virginia while also protecting citizens’ privacy.

The Virgina Consumer Data Privacy Act is important to both Virginia residents and any business that maintains digital records on Virginia residents. The implications hit a broad range of individuals and businesses, including persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Consumer Rights
Consumers are provided multiple rights under CDPA including:

• Right to access – To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data
• Right to correct – Consumers have the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data
• Right to delete – consumers have the right to delete personal data provided by or obtained about the consumer
• Right to portability – Consumers have the rights to obtain a copy of the personal data in a portable format.
• Right to opt-out – Consumers have the right to opt out of processing of their private information.
• Right to appeal – Consumers have a right to appeal any information request denied by a company.

Data Controller Responsibilities
CDPA requires the controller to comply with a request by a consumer to exercise the consumer rights authorized pursuant to subsection A as follows:

• A controller shall respond to the consumer within 45 days of receipt of the request. The response period may be extended once by 45 additional days when reasonably necessary.
• If a controller declines to act regarding the consumer’s request, the controller shall inform the consumer within 45 days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.
• If a controller is unable to validate the identity of the requestor, the controller shall not be required to comply with a request and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer’s request.
• A controller shall establish a process for a consumer to appeal the controller’s refusal to act on a request within a reasonable period of time after the consumer’s receipt of the decision.
• Controller shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
• Not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes, unless the controller obtains the consumer’s consent.
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
• Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights.
• Not process sensitive data concerning a consumer without obtaining the consumer’s consent.
• Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
  • The categories of personal data processed by the controller.
  • The purpose for processing personal data.
  • How consumers may exercise their consumer rights.
  • The categories of personal data that the controller shares with third parties, if any; and
  • The categories of third parties, if any, with whom the controller shares personal data.
• A controller shall establish, and shall describe in a privacy notice (i.e., privacy policy), one or more secure and reliable means for consumers to submit a request to exercise their consumer rights.

CDPA Enforcement and Civil Penalties

The Attorney General of Commonwealth shall have exclusive authority to enforce CDPA privacy laws.

To avoid action by the Attorney General, the Controller or processor has 30 days from receipt of a written notice to cure any violation or alleged violation, and provide the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur. If a controller or processor continues to violate provisions of CDPA following the cure period or breaches an express written statement provided to the Attorney General, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation.

Additionally, the Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees.

CYTRIO is helping all organizations meet the burden of the Virginia Consumer Data Protection Act (CDPA) with a comprehensive privacy rights management platform. Using CYTRIO, organizations can eliminate 80%+ of manual tasks required by Virginia CDPA, resulting in significant time and cost-saving, with CDPA compliance response times and to reduce the risk of regulatory fines, all the while building consumer trust.

Using CYTRIO privacy compliance platform, organizations can operationalize and automate Privacy Right Management , enabling organizations to meet a complex set of CDPA compliance requirements through a secure data request intake portal, identity verification, AI-driven private data discovery, classification, identity correlation, data subject access request (DSAR) response orchestration, and detailed audit records. Learn more on CYTRIO’s NextGen Privacy Rights Management Solution.

Virginia Attorney General

Any individual who has a permanent address in Virginia

Customers of household goods and services, employees, and those who make business-to-business transactions

45 days

Yes, if you have a customer/client who resides Virginia

How often can a consumer submit a DSAR? Consumers may only make information requests twice a year and only for a 12-month look-back

An individual whose data is collected and processed

 An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form

The process of matching fields from one database to another

A person who determines the purposes and means of the processing of personal data

A third-party who processes personal data on behalf of the controller

A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship