Virginia Consumer Data Protection Act: Here Comes the Next State Privacy Law of the Land

2021 is off to a strong start in privacy legislation with Virginia passing the second state comprehensive consumer privacy law in the US.

Who Is Covered?

The Virginia Consumer Data Protection Act (CDPA) applies to entities that conduct business in Virginia or produce products or services that target Virginia residents and meet one of the following thresholds: (i) during a calendar year, control or process personal data of at least 100,000 Virginia consumers (defined below) or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The CDPA does not apply to financial institutions or data subject to the Gramm-Leach-Bliley Act, non-profits, institutions of higher education, or protected health information under the Health Insurance Portability and Accountability Act. It also does not apply to data processed or maintained for employment purposes.

Notable Requirements

Definitions are further below, but we first provide details on some of the most notable requirements imposed on covered businesses by the CDPA.

Controllers and Processors

It has become standard to enter data processing agreements where personal data is provided from one business to another. The CDPA lists specific requirements for contracts between controllers and processors. Notably, contracts must:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality,
  2. At the controller’s direction, processors must delete or return all personal data to the controller at the end of the provision of services,
  3. Processors must make available to the controller all information necessary to demonstrate the processor’s compliance with the CDPA,
  4. Allow and cooperate with reasonable assessments by the controller, and
  5. Only engage subcontractors pursuant to a written contract in line with the processor’s requirements.

Consumer Privacy Rights

Businesses must provide Virginia residents the following privacy rights:

  1. Right to confirm whether or not personal data is processed and right to access such personal data,
  2. Right to correct inaccuracies in personal data,
  3. Right to delete personal data,
  4. Right to obtain a copy of personal data that the individual has provided, and
  5. Right to opt-out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Data Protection Assessments

Data protection assessments are assessments that identify and weigh the benefits versus potential risks to consumers that flow from the processing of personal data. Companies processing data from European residents may already be familiar with privacy impact assessments. In Virginia, the following activities will require a controller to conduct and document a data protection assessment:

  1. Processing of personal data for purposes of targeted advertising,
  2. Sale of personal data,
  3. Processing of personal data for purposes of profiling,
  4. Processing of sensitive data, and
  5. For any other processing activities involving personal data that present a heightened risk of harm to consumers.

Notable Definitions

There are several notable terms in the CDPA that impact the requirements and applicability of the provisions. They are:

  1. “Consent”: Consent under the CDPA is opt-in consent, and consent requires a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement.” This is more in line with European standards of consent.
  2. “Consumer”: Consumers protected under the CDPA include “natural persons who are residents of Virginia acting in an individual or household context. It does not include a natural person acting in a commercial or employment context.”
  3. “Controller”: A controller is a “natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.” Controllers are the main entities responsible for ensuring that data is handled appropriately. 
  4.  “Decisions that produce legal or similarly significant effects concerning a consumer”: The CDPA addresses data processing decisions that result in the provision or denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.
  5. “Processor”: A processor is a “natural or legal entity that processes personal data on behalf of a controller.” Processors are frequently service providers or vendors.
  6.  “Sale of personal data”: The definition of sale is limited to the exchange of personal data for “monetary consideration.” This is different from the California Consumer Privacy Act, which also includes non-monetary, valuable consideration in its definition of “sale.”
  7. “Sensitive data”: Sensitive data is provided greater protection and includes personal data collected from children, precise geolocation data, genetic or biometric data, and data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. For children’s data, businesses that comply with verifiable parental consent requirements under the Children’s Online Privacy Protection Act are deemed compliant with the CDPA obligations to obtain parental consent.
  8. “Targeted advertising”: The CDPA provides an opt-out right for targeted advertising, which is defined as advertisements displayed to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications.


The Attorney General is empowered to investigate business practices for violations of the CDPA and may issue injunctions or penalties up to $7,500 per violation. In addition to the penalties, the Attorney General may recover reasonable expenses incurred in investigating and preparing its case, including attorney fees. Helpfully, businesses have a 30-day cure period under the law. Specifically, if the Attorney General provides notice to a business that it is in violation of the CDPA, the business may respond with an express written statement that the alleged violation has been cured and that no further violations shall occur. Upon confirmation, the Attorney General will take no further action.

There is no private right of action for violations of the CDPA.

What Is Next?

The CDPA is scheduled to take effect January 1, 2023, so businesses have a little less than two years to review and implement requirements. The next stage of the CDPA involves a working group that will submit findings, best practices, and recommendations regarding the implementation of the CDPA to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology, and Innovation by November 1, 2021.

For businesses working to align their data privacy programs, the January 1, 2023 date is also the date that California’s California Privacy Rights Act takes effect. For information on that law as well, please see here.


Continue Reading