Regulation

Virginia Consumer Data Protection Act (CDPA)

Virginia CDPA establishes a framework for controlling and processing personal data in the Commonwealth of Virginia. It outlines the responsibilities and privacy protection standards for covered organizations.

Are you subject to Virginia CDPA?

Virginia CDPA applies to any organization doing business in Virginia and meets any one of the following criteria:

Processes data of 100,000 + Virginia consumers/households/devices.
Derives 50% of annual gross revenue from the sale or share of personal information and controls or processes the personal information of 25,000 consumers.

Key obligations under the Virginia CDPA

The law aims to provide the residents of the Commonwealth of Virginia control over their personal information processed by organizations doing business in Virginia or targeting residents of Virginia.

Conduct data protection assessments

Controllers and processors must carry out data protection assessments for the following:

Processing of sensitive personal information;
Sale of personal information;
Targeted advertising and profiling; and
Processing purposes that present a high risk of harm to consumers.

Consents & opt-outs

CDPA includes consent and opt-out requirements such as the following: consent requirements for minors aged 13-16 and children under age 13; processing of sensitive personal information; opt-out of targeted advertising, sale, and sharing of personal information.

Privacy notice and transparency requirements

Organizations must provide clear and meaningful privacy notices that contain personal information collected, their processing purposes, with whom they share the information and their data sources. The notice must include information on an individual’s right to opt-out of the sale of personal information or targeted advertising purposes.

Data subject rights & requests

Consumers have the right to request to know what personal information has been collected, deletion of any personal information collected, opt out of the sale of their personal information, and correct inaccurate personal information. Businesses must be able to fulfill and address these requests within 45 days.

Vendor nanagement and contractual requirements

Under Virginia CDPA, businesses must perform regular assessments and reviews of third-party vendors that process personal information and have contracts in place to ensure continued compliance.

Webinar

Building Trust and Competitive Advantage: The Value of Privacy Certifications

Join our experts in this webinar as they go over the importance of how privacy certifications can unlock business value and help you stay ahead of the competition in today’s privacy-conscious landscape.

Watch now

Achieve compliance

FAQs

When did the Virginia CDPA take effect?

The Virginia CDPA entered into force as of January 1, 2023.
Who has privacy rights under the Virginia CDPA?

The Virginia CDPA provides privacy rights to residents of Virginia including residents who are employees or job applicants, and contacts for business customers, vendors, or independent contractors.
What is personal information and sensitive personal information under the Virginia CDPA?

Personal information is information that identifies, relates to, or could reasonably be linked to a particular consumer of a household. Examples include Name, address, email address, phone number, IP address, social security number, driver’s license number, geolocation data, and biometric data used for identification.

Sensitive personal information includes examples like social security number, driver’s license number, precise location, genetic data, biometric information, racial or ethnic origin, information about a consumer’s health, religious beliefs, and citizenship or immigration status.

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.