Virginia Consumer Data Protection Act (CDPA)

Second in the nation behind California to enact online privacy regulation, Virginia’s new law takes effect on January 1, 2023.

Similar to the law in California that is again similar in itself to the more stringent privacy regulations in the European Union, Virginia has new privacy rules now too.

What does this mean for US and Virginia-based businesses and those selling in Virginia?

First and foremost, if you do not have cookie notifications on your website, now is the time to implement this scripting. There are many online services that provide the scripts to meet the European Unions’ strict rules and can be used to meet both California and Virginia’s regulations. We use cookie-script.com for our privacy adherence needs.

For Virginia businesses and those that do business in Virginia, here’s what you need to know about this recently passed act.

First you must be in compliance by January 1, 2023.

“Virginia’s legislation has a carve-out for information collected in the employment context, whereas California’s law applies to some employment data.” Read the full article.

The CDPA applies to the following business types:

• Those that control or process the personal data of at least 100,000 consumers.

• Those that process the personal data of at least 25,000 consumers and derive more than 50 percent of their gross revenue from selling personal data.

Make sure to check this article for a number of exemptions. Virginia has made its law less stringent than California’s privacy law, but make sure you know what is covered and not covered.

What Are Your Rights in this New Law?

“Virginia’s law was modeled after California’s laws and the European Union General Data Protection Regulation. Virginia’s law provides expansive consumer privacy rights, such as the right to access, right of rectification, right to delete, right to opt out, right of portability and right against automatic decision-making. The act includes a broad definition of “personal information,” a “sensitive data” category, and data-protection assessment requirements for businesses that control the data.”

“Consumers don’t have the right to bring a private lawsuit for violations of the act. Instead, the Virginia attorney general’s office will enforce the law. Entities will have the opportunity to cure violations or face a fine of $7,500 per violation.” Read more.

Most people expect other states to follow with restrictions similar to Virginia’s or California’s.

Our Recommendation

With privacy being in the forefront of everyone’s mind right now, it is time to look at adding a privacy statement and cookie setting acknowledgement script on your website.

When the EU rolled out it’s privacy regulation several years ago, many businesses opted to not update their site for cookie approval as they felt they were exempt (erroneously) by not selling services or products in the European Union. Now with expansion of similar regulations to California and Virginia, it is time to implement technology to be in compliance this year and at the minimum by December 31, 2022.