- Who We Serve
Earlier this month, Virginia became the second state to enact a comprehensive privacy law with the passing of the Consumer Data Protection Act (CDPA). The CDPA bears similarities to both the CCPA (California’s comprehensive privacy law) and the GDPR (the EU’s comprehensive privacy law). The CDPA becomes effective in 2023.
The CDPA is only eight pages, linked here, but we break it down to the basics below.
The law applies to anyone that either conducts business in Virginia or produces products or services for Virginia residents, and either processes personal data of at least 100,000 consumers or processes personal data of at least 25,000 consumers and derives over 50% of business profits from the sale of personal data.
The CDPA affords the term “personal data” a broad definition, encompassing “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The term “processing” is similarly broad, including “any operation or set of operations performed… such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
Notably, the CDPA uses GDPR terms “controller” and “processor,” referring to the controller as someone who determines the purpose for processing personal data and the processor as someone who processes the data on behalf of the controller.
The CDPA grants consumers in Virginia similar rights to those afforded in both the CPPA and GDPR. Consumers have the right to submit a request to the controller to:
Controllers who receive such a request have 45 days to respond. If the controller declines to take the requested action, it must notify the consumer of this decision along with its justification within 45 days and give the consumer an opportunity (and means) to appeal.
The CDPA requires controllers to have a privacy notice that discloses to consumers:
The CDPA’s additional controller responsibilities largely mirror the Fair Information Privacy Practices (adopted as guidelines by the OECD), requiring controllers to do the following:
Processors have an obligation to adhere to any instructions given by the controller, and to assist the controller in meeting its requirements.
Controllers and processors are required to execute a data processing contract that ensures the processor will do the following:
There is no private right of action under the CDPA. Instead, Virgina's Attorney General has sole enforcement authority. Upon notice of a violation from the attorney general, controllers have 30 days to fix the problem. If they do not, then they are subject to up to $7,500 per violation.
Clickwrap can help you manage disclosures, consents, and opt outs. Clickwrap can also help you get processors to sign data processing contracts quickly and efficiently, which should be standardized and easily accepted with a single click. Learn more in our eBook, 101 Ways to Use Clickwrap.