No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

The Data Privacy Legislation Floodgates Have Opened: Virginia Passes the CDPA

Virginia Joins the Ranks of States Passing Data Protection Legislation

by Alexander Koskey and Matthew White
March 17, 2021
in Data Privacy, Featured
Map of Virginia

A growing wave of states are considering and passing data privacy legislation. Virginia is the latest to join. This article provides a quick rundown of the implications of the Consumer Data Protection Act.

Virginia has become the latest state to pass comprehensive privacy legislation as its legislature voted to enact SB 1392, known as the Consumer Data Protection Act (CDPA). Although many other states have proposed privacy laws during current legislative sessions, Virginia becomes the first state this year to adopt new privacy legislation. Governor Ralph Northam signed it into law on March 2. The act will take effect on January 1, 2023.

The CDPA is noteworthy for several reasons:

  1. It adopts the concepts of “controller” and “processor” found in the European Union’s General Data Protection Regulation (GDPR) and focuses on the “processing” of personal data of consumers;
  2. It requires controllers to perform and document data protection assessments for specified processing activities; and
  3. It continues the trend of expanding consumer rights, as we have seen in the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

The CDPA will have a substantial impact on businesses that process the personal data of Virginia consumers and is likely to create new compliance hurdles for covered businesses. Businesses that are subject to California’s privacy regime may have a head start in preparing to comply with the act but will nevertheless still need to ensure compliance with its unique provisions. Covered businesses that have not dealt with CCPA/CPRA compliance will have a significant amount of work to do. This alert summarizes several of the CDPA’s key provisions.

The Scope and Applicability of Virginia’s Data Privacy Legislation

The act applies to people who conduct business in Virginia or “produce products or services that are targeted to residents of Virginia” and either:

(i) “control or process the personal data of at least 100,000 consumers” during a calendar year or

(ii) “control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”

“Personal data” is defined by the CDPA as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This is similar in concept to the CCPA, but sets a different standard for organizations to absorb.

A “consumer” is defined as “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a person acting in a commercial or employment context.” This definition is significant, as the act does not apply to personal data of employees or personal data collected from individuals in the context of business-to-business transactions, both of which have created significant questions as to their ultimate treatment under California’s laws.

Consumer Rights and Compliance Obligations

Similar to other proposed legislation, the CDPA borrows many of its consumer rights and compliance obligations from the CCPA and CPRA. These include:

  • Requiring businesses to disclose (i) the categories of personal data to be processed, (ii) the purpose for processing the personal data and (iii) the categories of personal data that is shared with third parties;
  • Giving consumers the right to opt out of the sale of personal data to third parties or the processing of personal data for targeted advertising;
  • Requiring data minimization principles under which only personal data that is “adequate, relevant and reasonably necessary” for the purposes for which the personal data is to be processed is collected;
  • Requiring businesses to establish and maintain reasonable administrative, technical and physical data security practices appropriate to the volume and nature of personal data at issue;
  • Restricting the processing of a consumer’s sensitive data without obtaining the consumer’s consent;
  • Providing consumers with rights to (i) access personal data being processed by a controller, (ii) correct inaccuracies in their personal data, (iii) delete personal data provided by or obtained about the consumer and (iv) obtain a copy of the personal data that the consumer previously provided to the controller in a portable and readily usable format;
  • Requiring a formal appeal process for consumers if a controller refuses to take action on a consumer request; and
  • Requiring written contracts between controllers and processors that set forth the instructions for processing personal data, the nature and purpose of processing, the duration of the processing and the rights and obligations of both parties.

Determining whether a person is acting as a “controller” or “processor” is a fact-based determination, and each party’s role should be defined within the contract.

Broad Exemptions

The CDPA contains far broader exemptions than other state privacy laws. Specifically, it exempts “financial institutions or data subject to” the Gramm-Leach Bliley Act (GLBA). This is a significant shift from other laws like the CCPA, whose exemption only applies to information subject to the GLBA. The CDPA also includes exemptions for covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA), nonprofits and educational institutions.

Enforcement

The Virginia Attorney General has exclusive authority to enforce the act. Any controller or processor that violates it could face a penalty of up to $7,500 for each violation. The CDPA does not contain a private right of action for consumers.

Key Takeaways

Virginia’s Consumer Data Protection Act aggregates many terms, rights and compliance obligations found in other privacy legislation like the GDPR, CCPA and CPRA. While there are many similarities to the CCPA and CPRA, businesses that are subject to those laws cannot and should not assume that their prior compliance efforts in California or the EU are sufficient to comply with the CDPA. The act contains several unique provisions that require action, including:

  • Providing additional rights allowing consumers to opt out of the processing of personal data relating to targeted advertising and
  • Requiring businesses to perform a detailed analysis of processing activities between “controllers” and “processors” and to specifically outline the rights and responsibilities of each in written contracts.

Virginia’s CDPA is just the tip of the iceberg for new privacy legislation expected this year. At least 15 other states, including New York, have either introduced new privacy legislation or have privacy bills in committee. Each state law will have varying terms and scopes and will impose unique compliance obligations on covered businesses. Therefore, it is imperative for businesses to perform a comprehensive review of their privacy management programs. They need to understand what personal information is collected from individuals and how that personal information is being used by the business. Performing these tasks now will help ease the burden of addressing the litany of compliance obligations mandated by these new laws.


Tags: California Consumer Privacy Act (CCPA)California Privacy Rights Act (CPRA)GDPRVirginia Consumer Data Protection Act (CDPA)
Previous Post

Retaliation Against Whistleblowers Is on the Rise: ECI’s Patricia Harned in Conversation

Next Post

Peace and Quiet

Alexander Koskey and Matthew White

Alexander Koskey and Matthew White

Alexander Koskey, an attorney in Baker Donelson’s Atlanta office, is a Certified Information Privacy Professional and represents financial institutions and organizations on a wide range of data privacy, regulatory and compliance and litigation matters.
Matthew G. White, a shareholder in the Memphis office of Baker Donelson, advises clients on a wide variety of cybersecurity and data privacy issues. He is a Certified Information Privacy Professional (CIPP / US, CIPP / E) and a Certified Information Privacy Manager (CIPM).

Related Posts

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

examining data on laptop screen

Privacy Rights Surge Forces Rethink of Data Management

by Gal Ringel
March 14, 2025

As global privacy regulations multiply, organizations face mounting pressure to efficiently respond to data subject requests amid complex data environments

Next Post
space shuttle launching into space amid clouds of smoke

Peace and Quiet

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights