On March 2, 2021, Virginia Governor Ralph Northam signed off on the Virginia Consumer Data Protection Act (“CDPA”), which will take effect on January 1, 2023. This makes Virginia the second state in the country (after California) to adopt more comprehensive legislation regulating data privacy not specific to a given industry. This is huge news for companies doing business in Virginia or with Virginia consumers.
Specifically, the CDPA will apply to any entity that conducts business in Virginia or produces products or services that are targeted to Virginia residents and either a) controls or processes the personal data of at least 100,000 consumers during a calendar year, or b) controls or processes the personal data of at least 25,000 consumers and derives at least 50% of its gross revenue from the sale of personal data. Unlike California’s privacy act, the Virginia CDPA does not impose any revenue threshold. Therefore, businesses will be subject to the law based solely on the number of consumer records they maintain.
Entities affected by the CDPA will be required to limit the type of consumer data may be collected. Additionally, these companies will be required to give a privacy notice to consumers showing the purpose for processing personal data, categories of data processed, categories of any personal data shared with third parties, and the categories of any third parties the data is shared with.
The CDPA will also give consumers the right to know whether their data is being collected and processed and ask for a copy of their data, correct inaccuracies, ask for the deletion of personal data, and opt out of the processing of personal data that may be used for targeted advertising, sale, or consumer profiling. A company’s privacy notice will also be required to direct consumers on how they can exercise these rights and appeal any decision made by the company with regard to the consumer’s request.
The CDPA is less stringent than California’s statute in that it offers a large number of exemptions, either by type of entity or by the type of data being collected. Exempted entities include certain financial and healthcare institutions, nonprofit organizations, and institutions of higher education. Virginia government agencies and organizations are also exempt. Types of data exempted are even more expansive, and include specific employee and job applicant data, data governed by HIPAA, and consumer credit data regulated by the Fair Credit Reporting Act.
Any failure to comply with the CDPA carries a hefty penalty: if a company does not cure a violation within 30 days of receiving notice, the attorney general may impose a fine of $7,500 per violation (the act does not grant a private right of action to the individuals whose data is mishandled under the CDPA).
If you have questions about the CDPA or would like assistance evaluating whether your business will be affected by this new law, please contact us to set up a consult with a member of our privacy and data security practice group: