The European Union’s General Data Protection Regulation (GDPR) dominated privacy compliance efforts in 2018. Compliance efforts for the California Consumer Privacy Act (CCPA) followed in 2019, and California voters then approved the California Privacy Rights Act in 2020—necessitating additional compliance efforts in advance of that law’s 2023 effective date. And now, as of this writing, Virginia is poised to be the second U.S. state to pass comprehensive privacy legislation through its Consumer Data Protection Act (CDPA), to be effective January 2023.

Borrowing definitions and concepts from the GDPR and CCPA, the CDPA creates yet another law to complicate global and domestic compliance efforts. The law applies to businesses that control or process (1) personal data of 100,000 or more Virginia residents in a calendar year, or (2) personal data of at least 25,000 Virginia residents, and derive over 50% of their gross revenue from the sale of personal data.

The CDPA grants consumers certain rights to their personal data, including (1) access rights; (2) correction rights; and (3) deletion rights. Consumers may also opt out of the processing of personal data for (a) targeted advertising and (b) certain types of profiling. Similar to the CCPA, the CDPA grants consumers a right to opt out of the sale of their personal data, though “sale” under the CDPA is narrower than the CCPA, covering only the disclosure of personal data in exchange for monetary consideration.

Covered businesses may need to undergo another round of contract revisions with their processors, as the CDPA requires data controllers to impose GDPR-like contractual requirements, including a requirement that processors allow for and contribute to audits and inspections by the data controller.

The law also introduces “minimum necessary” principles, requiring controllers to limit collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes of processing. Similar to the GDPR, the CDPA also requires controllers to conduct “data protection assessments” for certain types of processing, such as (1) targeted advertising; (2) personal data sales; (3) profiling; (4) sensitive personal data; and (5) processing involving personal data that present a heightened risk of harm to consumers. The law explicitly allows the Virginia Attorney General to request and evaluate a controller’s data protection assessments, and exempts these assessments from Virginia’s FOIA requirements.

The CDPA includes notable carve-outs. It does not apply to personal data subject to certain laws, such as HIPAA, the GLBA, FCRA, COPPA, and FERPA. It also does not apply to publicly-available data or to “consumers” acting in a commercial or employment context.

Significantly, enforcement authority lies exclusively with the Virginia Attorney General—no private right of action exists under the CDPA. The law contains a 30-day right to cure after notice of a violation, after which the Attorney General may initiate an action and seek damages for up to $7,500 per violation.

Virginia may be next, but with bills pending all over the country, it likely will not be the last as companies continue to grapple with privacy compliance.

About the author:

Anna Hsia maintains a diverse practice counseling clients on product development and privacy issues, and litigating complex business disputes. Her broad clientele includes companies in the gig economy, online gaming, cloud computing, advertising, and biotechnology space.