Virginia's Consumer Data Protection Act: What You Need to Know

New Regulation - CDPA-04

Product Counsel Nicole Dobias, CIPP/US provides a primer on the latest data protection act and how it affects businesses in the U.S.

Earlier this month, Virginia became the second state to enact a comprehensive privacy law with the passing of the Consumer Data Protection Act (CDPA). The CDPA bears similarities to both the CCPA (California’s comprehensive privacy law) and the GDPR (the EU’s comprehensive privacy law). The CDPA becomes effective in 2023.

The CDPA is only eight pages, linked here, but we break it down to the basics below. 

Scope and Definitions

The law applies to anyone that either conducts business in Virginia or produces products or services for Virginia residents, and either processes personal data of at least 100,000 consumers or processes personal data of at least 25,000 consumers and derives over 50% of business profits from the sale of personal data.

The CDPA affords the term “personal data” a broad definition, encompassing “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The term “processing” is similarly broad, including “any operation or set of operations performed… such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”

Notably, the CDPA uses GDPR terms “controller” and “processor,” referring to the controller as someone who determines the purpose for processing personal data and the processor as someone who processes the data on behalf of the controller. 

Consumer Rights

The CDPA grants consumers in Virginia similar rights to those afforded in both the CPPA and GDPR. Consumers have the right to submit a request to the controller to:

  1. Confirm whether the controller is processing their personal data;
  2. Correct inaccuracies in their personal data;
  3. Have their personal data deleted;
  4. Obtain a copy of their personal data; and
  5. Opt out of the controller’s sale and processing of their personal data for targeted advertising or profiling purposes.

Controllers who receive such a request have 45 days to respond. If the controller declines to take the requested action, it must notify the consumer of this decision along with its justification within 45 days and give the consumer an opportunity (and means) to appeal.

Controller Responsibilities

The CDPA requires controllers to have a privacy notice that discloses to consumers:

  1. The categories of personal information the controller processes;
  2. The purpose for processing the personal data;
  3. How consumers can (easily) exercise their rights under the act;
  4. The categories of personal data the controller shares with third parties; and
  5. The categories of third parties the controller shares personal data with.

The CDPA’s additional controller responsibilities largely mirror the Fair Information Privacy Practices (adopted as guidelines by the OECD), requiring controllers to do the following:

  1. Limit what personal data is collected to what is adequate, relevant, and reasonably necessary to the purposes for which such data is processed;
  2. Not process personal data that is not reasonably necessary nor consistent with the disclosed purpose for processing;
  3. Have reasonable administrative, technical, and physical data security practices to protect and ensure the confidentiality, integrity and accessibility of personal data;
  4. Not process personal data in violation of state laws that prohibit unlawful discrimination against consumers; and
  5. Not process personal data without express consumer consent.

Processor Responsibilities and Data Processing Contracts

Processors have an obligation to adhere to any instructions given by the controller, and to assist the controller in meeting its requirements.

Controllers and processors are required to execute a data processing contract that ensures the processor will do the following:

  1. Subject anyone processing the personal data to a duty of confidentiality;
  2. Delete any personal data given to it by the controller upon request;
  3. Make available any information to the controller that is necessary to demonstrate compliance with the CDPA;
  4. Cooperate with the controller’s reasonable assessments; and
  5. Require any sub processors to meet the same obligations as the processor with respect to personal data.

Enforcement and Violations

There is no private right of action under the CDPA. Instead, Virgina's Attorney General has sole enforcement authority. Upon notice of a violation from the attorney general, controllers have 30 days to fix the problem. If they do not, then they are subject to up to $7,500 per violation.

How Can Clickwrap Help?

Clickwrap can help you manage disclosures, consents, and opt outs. Clickwrap can also help you get processors to sign data processing contracts quickly and efficiently, which should be standardized and easily accepted with a single click. Learn more in our eBook, 101 Ways to Use Clickwrap.

Don’t miss out!

Want the latest news, tips and best practices for high-velocity acceptance? Subscribe to our newsletter.