What is the Virginia Consumer Data Privacy Act?

The California Consumer Protection Act (CCPA), which became law in 2018, was the nation’s first comprehensive consumer data privacy law. Virginia recently passed similar legislation in March of 2021. The Virginia data privacy law is called the Consumer Data Protection Act (CDPA). This data privacy law takes effect on July 1, 2023. The CDPA, like the CCPA, imposes data privacy obligations on businesses, and gives state residents more control over their personal data. More details about the CDPA, including who is exempt from its data privacy provisions, are provided below.

Who is Covered by the Virginia Consumer Data Privacy Act?

Virginia Consumer Data Protection Act

The CDPA applies to businesses that: (1) control or process personal data of more than 100,000 Virginia residents acting in individual and household context or (2) control or process personal data of at least 25,000 consumers and derive over 50% of revenue from the sale of personal data. The law excludes data collected in an employment or business-to-business context. A “business to business” transaction is a transaction made between two companies, as opposed to a transaction between an individual and a company.

Rights and Responsibilities Under the Virginia Consumer Data Privacy Act

The CDPA imposes data privacy obligations on data controllers and processors. The law defines controllers as entities that determine the purpose and means of processing information.  Processors, by contrast, are entities that process personal data on behalf of a controller. Processing activities include (among other things) sale of personal data, targeted advertisement, or profiling of data. Profiling of data is the collection of personal data and inferences made for the purpose of predicting user behavior.

The law provides consumers with six main rights with respect to their personal information. Under the law, a consumer is a “natural person who is a Virginia resident.” The CDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The CDPA provides special privacy protection for “sensitive data.”  

Sensitive data is defined as a category of personal data that includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • Genetic or biometric data for the purpose of uniquely identifying a natural person;
  • Personal data collected from a known child; or 
  • Precise geolocation data. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

The CDPA data privacy law places several responsibilities on controllers, including:

Limits on data collection and use.

The CDPA requires that data controllers limit personal data collection to what is adequate, relevant, and reasonably necessary for the purpose for which the data is processed. If a controller wants to process personal data for a purpose that is not necessary, the consumer must consent to the processing. 

Reasonable security practices.

Data controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The scope of these protections should take into account the volume and nature of the personal data at issue, including whether the data is sensitive. 

Consent for Processing Sensitive Data.

Before a controller can process any sensitive data of a consumer, the Virginia data privacy law requires that the controller obtain the consumer’s consent. Consent is defined as a clear, affirmative act that indicates someone’s freely-given, specific, informed, and unambiguous agreement to processing. One example of an “affirmative act” is a consumer’s writing out a statement that gives consent.  

Data Processing Agreements (DPAs).

Similar to how HIPAA covered