Virginia's Consumer Data Protection Act (CDPA)

What is Virginia data privacy law?

On March 2, 2021, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA or law) into law. This makes Virginia the second state behind California to adopt a comprehensive consumer privacy law. This bill brings together concepts from the EU’s General Data Protection Regulation GDPR and CCPA, the California Consumer Privacy Act, and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023. The Virginia CDPA establishes stringent guidelines for businesses in the state, emphasizing transparency and accountability in the collection and processing of consumer information.

Who must comply with Virginia CDPA?

Virginia’s Data Privacy Law, commonly known as the Virginia Consumer Data Protection Act (CDPA), empowers residents by enhancing their control over personal data.

The law applies to “Individuals who do business in Virginia or who manufacture products or services aimed at residents of Virginia who:

Control or process personal data of at least 100,000 residents of Virginia during a calendar year or
Control or process personal data of at least 25,000 residents of Virginia and earn more than 50 percent of gross income from personal data sales.”

Who enforces CDPA?

In Virginia, CDPA can be enforced through civil actions brought by the Attorney General as there is no provision for a private right of action. The penalty for non-compliance may be up to $7,500 per violation.

Key highlights of CDPA:

Personal Data"Personal data" under Virginia CDPA means "any information that is linked or reasonably linkable to an identified or identifiable natural person."

Consumer RightsThe CDPA provides the consumer rights, which largely mirror those provided by the CPRA.

Privacy AssessmentsCDPA requires controllers to carry out data protection assessments of processing activities when personal data is used for targeted advertising or sold or used for profiling or the use of sensitive data or use of any data that pose a heightened risk of harm to consumers.

ConsentUnder CDPA, consent means “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Download White Paper

Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

Personal Data

Personal Data under CDPA is broad and relatable to the CCPA and GDPR. It excludes de-identified and publicly available information.
The CDPA defines a consumer as someone acting in an individual or household context, and it expressly does not include “a natural person acting in a commercial or employment context.” It also exempts personal data collected from job applicants.

“Sensitive data” means “a category of personal data that includes”:

Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
The processing of genetic or biometric data for to uniquely identify a natural person;
The personal data collected from a known child; or
Precise geolocation data.

CDPA Consumer Rights

The CDPA provides the following consumer rights:

Right to confirm whether the controller is processing personal information.
Right to access personal data.
Right to data portability (i.e., data must be provided in a readily usable format so that it can be transferred from one entity/platform to another).
Right to correct inaccurate personal data.
Right to delete personal data.
Right to opt-out of targeted advertising.
Right to object to automated profiling and decision-making that results in legal or significant effects concerning the consumer.
Right to non-discrimination for the exercise of these rights.
Right to opt-out of sales of personal data.

Whereas the CDPA requires that the organizations “authenticate” consumer data requests, it does not provide guidance or a description of how such authentication should be accomplished.

Data Protection Assessments

Virginia’s CDPA requires businesses to conduct and document “data protection assessments” for certain types of data practices, including the processing of personal data for targeted advertising, the processing of sensitive data, and any processing activities with potential risk to harm the consumers. Data protection assessments must be carried to show the benefits and risks arising from these practices. These assessments must be made available to the Virginia Attorney General upon request.

Start with our forever free edition

Get Started Free

No credit card required

DSAR Management
Data Subject requests per month	100
Web based intake form	1
Identity verification methods	Manual
Workflow enabled Data discovery and deletion for systems (application, database, website, file system, products etc.)
Automated data discovery and data feeds from systems	Not Included
Secured delivery with configurable expiration days
Standard workflow (configurable) and email integration
Standard notifications and response templates
Reporting and dashboards
Customized workflow and notification
Remove “Mandatly” Branding

Cookie Compliance
Number of Domains (additional cost for multiple domains)	1
Website Scanning (Pages and sub-domains)	Upto 50 pages
Periodic scanning	Manual
Cookie categorization	Automatic
Predefined banners and layouts
Configurable banners and layouts
Configurable consent categories
Unlimited consent records	upto 50000
Multiple language support
Remove “Mandatly” Branding

Data Inventory
Data Asset (application, database, website, file system, products etc.)	25
Processing activites	100
Pre-built data inventory assessment templates
Auto risk detection
Data elements (Predefined and custom)
Standard workflow (configurable), e-mail Integration and notification
Standard notifications and response templates
Reporting and Dashboard
Create you own data inventory assessment templates, Set up risk rules and alerts
Custom workflow and notification
API integration with external systems
Remove “Mandatly” Branding

Intelligent Assessment
Assessments on Processing activities and Data Sources (Application, Database, Website, Manual, Products etc.)	50
Standard Assessment templates (PTA, PIA/DPIA, PbD)
Configure your own assessments and setup up risks and alerts
Integration with Data Inventory to link data sources and processing activities (RoPA)
Standard Workflow, Notification and Email Integration
Reporting and Dashboard
Custom workflow and notification
Risk assessment and Mitigation
Remove “Mandatly” Branding

DSAR Management
Data Subject requests per month	Unlimited
Web based intake form	10
Identity verification methods	Manual Email Verification
Workflow enabled Data discovery and deletion for systems (application, database, website, file system, products etc.)
Automated data discovery and data feeds from systems	Upto 2 systems
Secured delivery with configurable expiration days
Standard workflow (configurable) and email integration
Standard notifications and response templates
Reporting and dashboards
Customized workflow and notification
Remove “Mandatly” Branding

Virginia's Consumer Data Protection Act (CDPA)

What is Virginia data privacy law?

Who must comply with Virginia CDPA?