Earlier this year, Virginia officially became the second state to enact a comprehensive data privacy law in the United States – the Consumer Data Protection Act (CDPA). The CDPA was passed in response to growing concern over the misuse of consumer personal data. This new law improves the data privacy rights of Virginia consumers and dictates how businesses must protect their personal data.
Signed into law on March 2, 2021, by Governor Northam, the CDPA will go into effect in less than two years on January 1, 2023 – the same day as the California Privacy Rights Act (CPRA). The CDPA also shares many common elements with various other privacy regulations, including the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR).
Below, we explore the key provisions of the Consumer Data Protection Act and take a closer look at how this new law compares to the CCPA, CPRA, and GDPR, focusing especially on how it differs from the CCPA, as many U.S. organizations have implemented measures to comply with this law.
Background of the CDPA
On January 20, 2021, the Virginia House presented the Consumer Data Protection Act during one of the state's shortest legislative sessions (30 days). Without considerable time to debate any controversial topics (i.e., Washington's enforcement authority or private right of action), the CDPA was officially passed on February 24 and then signed into law by the Virginia Governor on March 2. The CDPA is currently set to go into effect on January 1, 2023.
Key Provisions of the CDPA
The CDPA incorporates the components of numerous other data privacy laws and regulations, including the CCPA, the CPRA, and the EU's GDPR. Below, we have outlined some of the key provisions of the CDPA.
Similar to the CCPA, the CDPA aims to increase the protection of consumers’ data and expand privacy rights for Virginia residents. A consumer is defined as "a natural person who is a resident of the Commonwealth acting only in an individual or household context," according to the CDPA.
The CDPA applies to any persons that conduct business in Virginia or provides products or services that are targeted to Virginia residents and meet the following criteria:
- Control or process the personal data of at least 100,000 consumers during a calendar year.
- Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.
The CDPA lacks a gross revenue threshold like that of the CCPA (gross revenue of more than $25,000,000), meaning that even large businesses will not be subject to the law if they do not fall into one of the two categories above. In addition, businesses located outside of the state will be subject to the law if they meet the necessary thresholds, similar to the CCPA.
The CDPA uses the term “personal data” (unlike “personal information” under the CCPA), which refers to “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This excludes publicly available information and de-identified data and information linkable to households, but not to individuals.
Additionally, under the CDPA, a sale of personal data occurs when personal data is exchanged for monetary consideration by a controller to a third party. This is in contrast to the CCPA, which adds on the condition that a sale occurs when "personal information" is exchanged for "other valuable consideration" on top of monetary consideration. It would not include disclosures to: 1) processors, 2) controller's affiliates, 3) a third party for purposes of providing products or services requested by the consumer, 4) as part of a merger, acquisition, etc., or 5) information that consumers intentionally made available to the general public via a mass media channel or did not restrict a specific audience.
Consumer Privacy Rights
Consumers have a number of privacy rights under the CDPA; however, these rights are more on par with those found in the CPRA and the GDPR than the CCPA. These rights include:
Right to Access.
Consumers have the right to confirm whether a controller is processing their personal data, as well as the right to access such personal data, similar to the CCPA.
Right to Correct.
Differing from the CCPA, the CDPA gives consumers the right to correct the inaccuracies in their personal data, considering the nature of the personal data and the purposes for processing the consumer's information.
Right to Delete.
Consumers have the right to delete personal data provided by or obtained about them, a similar right provided by the CCPA. As for controllers, the CDPA provides fewer exceptions to leverage than the CCPA for denying consumer requests to delete their personal information.
Right to Data Portability.
The CDPA grants consumers the right to obtain a copy of their personal data from the controller in a portable and readily usable format that allows them to transfer the data to another entity or platform. The same right is provided by the CCPA, as well.
Right to Opt Out.
Like the CCPA, the CDPA gives consumers the right to opt out of the sale of their personal data. But the CDPA provides two additional opt-out specifications: For the processing of personal data for purposes of targeted advertising and profiling that results in legal similarly significant effects concerning the consumer (i.e., decisions that result in the denial of financial services, housing, education, healthcare, employment, etc.).
For each consumer request, controllers have 45 days to respond, with an additional 45-day extension available if reasonably necessary for the business to comply. In certain cases, like if a controller cannot authenticate a consumer's identity, the controller can decline to comply with a consumer's request. To do so, the controller must provide the reason for declining and instructions regarding how to appeal the decision within the 45-day timeframe from the initial request.
If a consumer submits an appeal, the controller must inform the consumer of whether or not any action will be taken in response to the appeal within 60 days. If the appeal is denied, the controller will need to provide the consumer with how they can submit a complaint to the Attorney General.
Sensitive Personal Data and Consent Requirements
Unlike the CCPA, the CDPA expands the definition of sensitive data to cover four categories:
- Revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- The processing of genetic or biometric data for the purpose of uniquely identifying an individual
- Personal data of a known child
- Precise geolocation data
The CDPA adds obligations for sensitive data, such as covered companies must obtain opt-in consent to collect or process sensitive data. Consent must be a “clear affirmative act" that signifies a consumer's "freely given, specific, informed, and unambiguous agreement” to the processing of their personal data. Consent must also be explicitly given, meaning a consumer must clearly and explicitly agree to their sensitive data being processed, such as by ticking a box saying "I consent" or "I agree." This requirement is more aligned with the GDPR than the CPRA, and notably different from the CCPA, which does not separately define or categorize sensitive data.
The CDPA uses the term "controller" to describe an entity (natural or legal person) that determines the purpose and means of processing personal data. Under the Virginia law, controllers have many responsibilities that are similar to the obligations found in the CCPA, yet slightly more stringent. These duties include:
- Reasonable Security: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Privacy Notice: Controllers must provide consumers with a "reasonably accessible, clear, and meaningful privacy notice” of its data collection practices and whether they sell personal data or provide such data for targeted advertising, as well as how consumers can exercise their rights and appeal a controller's decision.
- Written Contract: Controllers must enter into a written contract with third party processors that process data on their behalf that sets forth the instructions and limitations on how the processor can process personal data, including the duration of processing and the rights and obligations of both parties.
- Consent for Processing Sensitive Data: Controllers must obtain consent from the consumer before processing any sensitive personal data.
- Data Minimalization: Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose for which the data is processed to ensure purpose limitation and data minimalization.
- Data Protection Assessment: Controllers must conduct and document a data protection assessment for certain processing activities (e.g., the sale of personal data, targeted advertising or profiling, activities that present a heightened risk of harm to consumers, etc.) that balance the benefits of these processing activities to the business against the risk to the consumers.
- Consumer Request Process: Controllers must establish one or more secure means for consumers to submit requests to exercise their rights. Consumers should not be required to create a new account in order to access their data, but controllers can require a consumer to use an existing account.
The obligations of processors (natural or legal entities that process personal data on behalf of a controller) are generally connected to their contracts with controllers. They are required to follow the instructions of controllers and assist them in meeting their CDPA obligations. Processors also help controllers implement appropriate technical and organizational measures to respond to consumer rights requests and provide the necessary information for controllers to comply with their data protection assessment obligations.
In addition, the relationship between a controller and a processor must be governed by a written contract. This contract must include the following processor requirements:
- A duty of confidentiality for each person processing personal data.
- At the controller's discretion, the deletion or returning of all personal data to the controller at the end of the provision of services unless the personal data is required by law.
- Making available all the information in the processor's possession necessary to demonstrate their compliance with the CDPA.
- Cooperation with reasonable assessments by either the controller or the controller's designated assessor, or the arrangement for a qualified and independent assessment.
Most notably, the CDPA does not grant consumers a private right of action, instead giving the Virginia Attorney General exclusive rights to enforce the law. The Virginia Attorney General is granted investigative authority and has the ability to seek injunctive relief and damages and impose civil penalties of up to $7,500 per violation, as well as any reasonable expenses incurred in investigating and preparing the case (e.g., attorney fees).
If the Attorney General decides to take action, the controller will be notified and then has a 30-day cure period to remedy any violations to avoid penalties. The controller must also provide a written statement to the Attorney General declaring that the violation has been cured and that no further violations shall occur.
The CDPA and CCPA have many enforcement similarities. The CCPA gives the California Attorney General enforcement capabilities, but also provides consumers a private right of action. The penalties under the CCPA are similar yet slightly more specific at $2,500 per violation and $7,500 per intentional violation. Controllers are also afforded the same 30-day cure period.
The CDPA contains a number of entities and data that are exempted from its scope, including:
- Covered entities or business associates regulated under the Health Insurance Portability and Accountability Act (HIPAA).
- Any financial institute and data subject to the Gramm-Leach-Bliley Act (GLBA).
- Data collected for credit reporting purposes under the Fair Credit Reporting Act (FCRA).
- Nonprofit organizations.
- Higher education institutions.
The CDPA also exempts information subject to the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and personal data processed in employment contexts (e.g., employee and job applicant data).
Comparison Between the CDPA and the CCPA
Since the CDPA draws from the privacy regulations preceding it, those already compliant with the CCPA should have a head start on their compliance efforts. However, the CDPA does contain a number of differences from the CCPA, which we compare below.
|Effective Date||January 1, 2023||
January 1, 2020*
*The CPRA will come into effect on January 1, 2023, but the law's look back period (similar to the CCPA) will begin on January 1, 2022.
Persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:
A legal entity doing business in California for profit, that meets one or more of the following:
|Covered Personal Information||
Any information that is linked or reasonably linkable to an identified or identifiable natural person
Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household
|Sensitive Personal Information||Consent is required to process sensitive data, which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected of a known child, and precise geolocation data||
Not currently covered**The CCPA considers direct identifiers (postal address, SSNs, passport information), indirect identifiers (cookies, telephone numbers, IP addresses), biometric data (face, retina, fingerprints, DNA, health data), geolocation data, and internet activity (browsing history, search history) to be "personal information" rather than "sensitive information"
(Sensitive Personal Data)
Does not apply to personal data associated with individuals acting in an employment context
Exemptions were originally set too expire on January 1, 2022, but were extended to January 1, 2023 (CPRA*)
*Similar to the CCPA, the CPRA also has a 12-month look back period, which applies to data processed on or after January 1, 2022.
|Consumer||A natural person who is a resident of the Commonwealth acting only in an individual or household context||A natural person who is a California resident|
|Consumer Privacy Rights||
|Enforcement Authority||Virginia Attorney General||California Attorney General|
|Private Right of Action||No||Yes|
|Cure Period||30 Days||30 Days|
|Noncompliance Fines||$7,500 per violation||
$2,500 per violation, $7,500 per intentional violation
Depending on the severity, consumers can collect $750 or more from a data breach
The Virginia Consumer Data Protection Act marks a significant milestone for data protection in the United States as the second state to pass a comprehensive privacy law. While 2023 might seem far away now, with California's CPRA, Colorado's CPA, and now Virginia's CDPA all going into effect in the same year, it's never too early to get started on compliance efforts. And if Virginia is a sign of what's to come, it's best to keep a watchful eye on pending state laws, because anything can change in just 30 days.
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.