Virginia’s Consumer Data Protection Act (CDPA): All you need to know

Virginia's Consumer Data Protection Act (CDPA) Logo

    Need world class privacy tools?

    Schedule a Call >

    It’s unlikely that anyone reading this article is unaware of the privacy landscape in the US. The word “landslide” comes to mind. In 2008 a groundswell of data privacy laws began with the Illinois Biometric Information Protection Act (BIPA) which provided consumers with biometric data privacy protections. The data privacy wave continued to spread across the US and ten years later the first US comprehensive state data privacy law passed in California in 2018; it was the infamous California Consumer Protection Act (CCPA). Nevada and Maine were next, passing their comprehensive consumer privacy laws in 2019. 

    On 1 January 2020, CCPA became effective, and after numerous attempts by the California Attorney General the associated regulations were finalized. CCPA was then superseded by the more restrictive California Privacy Rights Act (CPRA). Other states are looking to implement comprehensive data privacy laws, the most current law to pass is the Virginia Consumer Data Protection Act (CDPA).  

    Pressure on the U.S government 

    A prevailing opinion in the US is that the patchwork quilt of comprehensive state data privacy laws is quickly becoming expensive and complicated to comply with and may put sufficient pressure on the US federal government to pass a federal omnibus privacy law.

    Why, you ask, is it so hard to pass a comprehensive consumer privacy law in the US? Think about it like a three-legged stool. There are three points of view to consider:

    1. Individuals whose data is being collected must decide how important privacy is in balance with the modern conveniences that their personal information provides through the vehicle of technology. Simply put, having your cake and eating it too is the desired state.
    2. The US federal and state governments tasked with protecting residents’ privacy rights are not aligned on how to approach the issue. Globally there are generally eight data privacy rights, which are (1) right of access, (2) right of rectification (correction), (3) right of deletion, (4) right of restriction, (5) right of portability, (6) a right not to be marketed to, (7) right against automated decision-making, and (8) a private right of action (generally associated with security issues). These global rights have evolved over time and generally originate from the privacy guidelines provided to its members by the Organization for Economic Cooperation and Development – but that’s another story for another day.  CCPA gave four of these rights (Access, Deletion, Portability, and Opt-Out of sale (with a parental Opt-in for the sale of minor’s data). CPRA will give CA residents seven of these rights with the Attorney General as the enforcing agency providing for a penalty of $7500 per violation, although the right of restriction is limited to sensitive personal information only. Maine gives the right of restriction with a mandatory opt-in but only applies to Internet Service Providers, and Nevada gives a mandatory opt-out. The disparity of viewpoints regarding the rights consumers should have is variable and unpredictable. Governments also often have a conflict of interest. The elephant in the room is that these same governments tasked with protecting their resident’s right to privacy are tasked with enforcing their own laws so they draw on the same pools of data that these new privacy laws are designed to limit.
    3. The final point of view is businesses that collect personal information and in return provide modern conveniences. Some of these businesses rely on personal information as their currency. These companies may sell this information to generate revenue or use the data to improve their products and services. And some businesses offer their products or services for a fee, but still require personal information to provide the high standard of technological quality and convenience that is demanded from US consumers today.

    All three of these points of view must work together to make up the whole, but they seem to be at odds. And we haven’t even begun to consider the ethical considerations that are generated as more and more data is collected and used to improve technology and the myriad of ways the resulting data is being used.

    Virginia – following in the footsteps of California

    Now, that we’ve discussed the landscape, let’s talk about the most recent US state comprehensive privacy law in Virginia. The CDPA, when signed into law by the governor of Virginia, will not apply to government entities, non-profits or entities already governed by “regulated sectors,” de-identified personal data or publicly available personal data (which has a very broad definition).

    Virginia’s CPDA is expected to come into effect in 2023

    Who will the CDPA Apply to?

    The CDPA will apply to Companies that:

    • Conduct business in Virginia
    • Target market products and services to Virginia residents
    • Control or process the personal data of at least 100,000 Virginia residents
    • Make at least 50 percent of its gross revenue from the sale and processing of at least 25,000 Virginia resident’s personal data.”

    These businesses are considered “Controllers” of the data when they determine the purpose and the means of their processing, and the law will impose many of the obligations also required of Controllers under the EU General Data Protection Regulation (GDPR).

    Rights and Obligations

    Virginia residents will have a right of information and access, rectification, deletion, portability, an opt-out right for targeted marketing, the sale of their personal data, and profiling, and a right to appeal a rights-based decision made by the Controller who can’t discriminate against a Virginia resident who exercises their rights. There is no right of restriction and no private right of action. There is also an explicit opt-in consent requirement to process sensitive data, which means that a Virginia  resident’s consent must be “freely given, unambiguous and explicit.” This requirement for explicit consent is quite a high bar to meet and is comparable with the EU’s GDPR. When signed into law, it is expected that Virginia’s CDPA will become effective on the same day as the CPRA, 1 January 2023.

    In summary, a pattern is starting to emerge in the US as a wave of state privacy legislation gains momentum. Similar characteristics and high-priority issues are being highlighted for a potential Federal ombudsman law. But in the meantime, businesses and consumers will continue to struggle to normalize and comply with the privacy landscape in the US.

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    PrivacyEngine Onboarding Screen