Any day now, Virginia will likely become the second state, behind California, to adopt a GDPR-inspired comprehensive data protection law for Virginia residents.
What are the main points covered by Virginia’s Consumer Data Protection Act (“CDPA”)?
Like Europe’s GDPR and California’s CCPA, the CDPA expands consumer rights to access, correct, delete, and obtain a copy of personal data provided to or collected by a company, and to opt out of processing of the personal data for purposes of targeted advertising, sale, or profiling of the personal data.
The CDPA also expands Virginia’s definition of personal data, to include “sensitive data,” which includes, among other categories, race, religion, sexual orientation, mental or physical health diagnosis, biometric data, personal data collected from a known child, and precise geolocation.
Who does the CPDA apply to?
The CPDA will apply to businesses that conduct business in Virginia, or produce products or services that target Virginia residents, and that (1) during a calendar year, control or process personal data of at least 100,000 “consumers” or (2) control or process personal data of at least 25,000 “consumers” and derive over 50% of gross revenue from the sale of personal data. “Consumer” is defined as a natural person who is a resident of Virginia, acting only in an individual or household context. It does not include an individual acting in a commercial or employment context.
As with CCPA, there are broad exemptions for financial institutions subject to the GLBA, covered entities and business associates governed by HIPAA or HITECH, non-profit organizations and higher education institutions subject to FERPA.
What is the current status of the proposed bill and when is it likely to come into force?
The CDPA was already passed by Virginia’s House of Delegates and Senate earlier this year and is expected to be sent to the Governor later this month. If passed, the CDPA would take effect in January 2023, at the same time as California’s new California Privacy Rights Act (CPRA).
What happens if companies don’t comply with the CDPA?
Unlike the CCPA / CPRA, there is no private right of action for consumers. Instead, the Virginia Attorney General will have exclusive authority to enforce violations. Violators will have a 30-day period to cure infractions, after which the Attorney General can seek damages of up to $7,500 per violation.