On March 2, 2021, Governor Northam made Virginia the second state in the U.S. to enact a comprehensive privacy law, Virginia's Consumer Data Protection Act (CDPA).  We will follow-up with more discussion on how this impacts your business in the lead-up to the law's effective date (January 1, 2023, the same as CPRA), but here are a few highlights:

Individuals protected

CDPA regulates data related to Virginia residents in their individual or household capacity.  It specifically exempts individuals acting in a commercial or employment context (i.e., B2B or employee data).  

Regulated entities

CDPA regulates "controllers" and "processors" that meet this test: individuals or entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and meet one of two thresholds: (1) control or process personal data of at least 100,000 consumers or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of that data.  CDPA does not apply to Commonwealth agencies or political subdivisions of the Commonwealth, entities or data subject to the Gramm-Leach-Bliley Act, covered entities or business associates governed by HIPAA, non-profits or institutions of higher education.  

Enforceability

CDPA does not include a private right of action.  The law may only be enforced by the Virginia Attorney General's Office.  Entities have a 30-day notice and cure period to remedy any violations of the law before the AG can initiate an enforcement action.