Virginia Consumer Data Protection Act (CDPA)

    Overview

    The Virginia Consumer Data Protection Act (CDPA) is a state law that regulates how organizations collect, process, use, store, and distribute personal information of Virginia residents. Enacted on March 2, 2021, and effective from January 1, 2023, the CDPA grants consumers rights over their personal data and imposes responsibilities on businesses to protect data privacy and security.

    House Bill 707 (HB 707), approved on May 17, 2024, introduced updates to the CDPA, including enhanced protections for children's personal data, effective January 1, 2025.

     

     

    Regulation Summary

    Timeline
    • March 2021: VCDPA signed into law by Governor Ralph Northam.
    • January 1, 2023: VCDPA became enforceable.
    • January 1, 2025: Updated provisions, including child data protections under HB707, become effective.
    What Businesses Are Affected
    • Businesses conducting operations in Virginia or targeting Virginia residents.
    • Thresholds for Applicability:
      • Process personal data of 100,000+ consumers annually.
      • Process personal data of 25,000+ consumers annually and derive 50% or more of revenue from the sale of personal data.
    Exemptions
    • Government agencies, nonprofits, and higher education institutions.
    • Entities covered by HIPAA, GLBA, and other federal laws.
    • Employment-related and publicly available data.
    Responsibilities for Businesses
    • Data Minimization: Limit data collection to what is necessary for specified purposes.
    • Transparency: Provide privacy notices detailing data practices, consumer rights, and processing purposes.
    • Opt-Out Rights: Allow consumers to opt out of data sales, targeted advertising, and profiling.
    • Data Security: Implement safeguards appropriate to the data's sensitivity and volume.
    • Sensitive Data Consent: Obtain explicit consent before processing sensitive data.
    Specific Responsibilities for Website Owners
    • Establish a designated request address for consumer rights requests.
    • Respond to verified consumer requests within 45 days, extendable by another 45 days if necessary.
    • Provide clear disclosures on data collection and sharing practices.
    Additional Requirements
    • Data Protection Assessments: Required for high-risk activities, including:
      • Targeted advertising.
      • Sale of personal data.
      • Profiling with significant consumer impact.
    • Child Data Protections: Enhanced requirements for processing data of known children under 13.
    Data Subject Rights
    • Access: Confirm processing and obtain personal data copies.
    • Correction: Rectify inaccuracies in data.
    • Deletion: Request data deletion.
    • Portability: Receive data in a portable format.
    • Opt-Out: Refuse targeted advertising, data sales, or profiling.
    Enforcement
    • Enforced by the Virginia Attorney General.
    • Cure Period: 30 days to address violations.
    • Penalties: Up to $7,500 per violation.
    • No private right of action.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596