Virginia Consumer Data Protection Act Approved

Governor Ralph Northam has approved the Virginia Consumer Data Protection Act (CDPA). CDPA necessitates individuals running a business in the Commonwealth of Virginia to abide by new data privacy and security conditions. The CDPA will be effective on January 1, 2023.

The CDPA has similarities with a number of the privacy and security conditions of the EUs General Data Protection Regulation (GDPR) that was enforced on March 25, 2018, and the California Consumer Privacy Act (CCPA) that became effective on January 1, 2020. Though there are parallels between the GDPR and the CCPA, there are a number of variances, thus compliance with the CCPA or the GDPR won’t assure CDPA compliance.

Just like the CCPA, the CDPA can only be applied to institutions that handle or process a lot of consumer data, with the data threshold double the amount of the CCPA, though there’s no lowest income limit in the CDPA.

The CDPA can be applied to any man or woman or enterprise that:

  • Handles or processes the personal records of 100,000 Virginia residents or more in a calendar year; or
  • Manages or processes the information of 25,000 or higher Virginia residents within a calendar year and at the same time gets at least 50% of its gross earnings from the selling of personal information.

Entities Exempted from the Virginia Consumer Data Protection Act

Entities presently covered by specific Federal laws including data privacy and security terms are exempt from complying with the CDPA. Organizations covered by these rules are excluded:

  1. The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  2. The Gramm-Leach-Bliley Act (GLBA)

HIPAA-and GLBA-covered entities are totally exempt, not simply for data compiled that is covered by the corresponding acts, but also any other information that would normally be protected by the act.

There are additional exclusions for data covered by the:

  1. Children’s Online Privacy Protection Act (COPPA)
  2. Family Educational Rights and Privacy Act
  3. Drivers Privacy Protection Act
  4. Fair Credit Reporting Act (FCRA)
  5. Farm Credit Act
  6. Personal information processed in work contexts

Other entities excluded from CDPA compliance comprise of:

  1. Any body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision
  2. Not-for-profit institutions
  3. Higher education bodies

Virginia Consumer Data Protection Act Specifications

The CDPA protects the personal data of any individual who is a natural person who resides in the Commonwealth acting basically in a personal or household context, however not if they’re working in a business or job context. The personal data definition is any information that is associated or sensibly connected to an identified or identifiable natural individual.

The CDPA is not applicable to data in the public domain nor deidentified data. Public domain data is defined as data that a company has a valid basis to consider is legitimately offered to the public by means of broadly distributed media, by the consumer, or by someone to whom the consumer has revealed the information except when the consumer has confined the data to a distinct audience.

CDPA discourages covered entities from selling personal information with no permission, with sale described as the trading of personal data for monetary motive by the controller to a third party.

CDPA puts limits on data collection, constraining information to what is enough, suitable and reasonably essential in terms of the reasons for which the data is processed. Data could merely be employed for applications that are reasonably required and agreeable with the purposes that consumers have agreed to.

Covered entities need to make sure that reasonable technical, physical and administrative safety measures are put in place to secure any information gathered or processed, and data controllers should do data protection testing, even though the frequency that checks should be done is not specified.

Covered entities should additionally make certain that they offer consumers a privacy policy that involves the types of data obtained and processed, the explanation for data processing, consumer rights and how they may be practiced, and consumers ought to be advised concerning the third parties with whom personal records are shared and the types of information that will be exposed to third parties and authorization should be secured prior to collecting or processing data.

The Consumer Rights of Virginia Locals Under CDPA

See the personal information kept by a covered entity.
Correct flaws in the personal data stored by a covered entity.
Erase personal information kept by a covered entity.
Acquire a copy of the personal data stored by a covered entity.
Opt-out of personal information processing for specific advertising applications.
Appeal the denial of a business to respond to a request in a good time frame (45 days). An answer to any appeal ought to be presented within 45 days.

Fines for Not Complying with the CDPA

There’s no private right of action with the CDPA, therefore consumers could not take legal action against a business whenever they feel their CPDA rights were violated. The Virginia Attorney General imposes compliance and could charge a penalty of approximately $7,500 per violation. Nonetheless, the state Attorney General has to give businesses the chance to make right or “remedy” the violation, with financial charges applying only when those violations were not “cured” in 30 days.


Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.