UPDATE 3/3/21: On March 2, 2021, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (CDPA). This comprehensive consumer privacy law is slated to take effect on January 1, 2023, allowing subject businesses nearly two years to build out their CDPA compliance programs.
Like California with the California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and before that, Europe’s General Data Protection Regulation (GDPR), states are individually starting to enact their own state-specific comprehensive consumer privacy laws. Virginia appears primed to continue this trend by introducing the Consumer Data Protection Act (CDPA). The Virginia House approved H.B. 2307 on January 29, 2021 and the Senate approved S.B. 1392 on February 5, 2021. The two legislative branches will now attempt to pass a final bill, with Virginia Governor Ralph Northam potentially signing the bill into law by the end of February.
Virginia’s CDPA, in its current form, would apply to businesses that (1) control or process data for at least 100,000 consumers; or (2) those that make 50% or more of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. However, as currently drafted, the law contains many exceptions that businesses should review in more detail with counsel to determine applicability once enacted.
Similar to the CCPA or the GDPR, the CDPA grants consumers a broad range of control over their personal data, including sensitive personal data. It defines sensitive personal data as “a category of personal data that includes biometric data, data collected from children, precise geolocation data and personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status.” Specifically, the CDPA grants consumers the right to access, correct, delete, obtain a copy of their data in a portable format, opt out of targeted advertising, sales of their personal data or profiling decisions that produce legal or similarly significant effects. It also requires consent to process sensitive personal data. Using definitions like those in the GDPR, the CDPA requires contracts with specific terms between controllers and processors, imposing data protection responsibilities on both. Controllers must conduct data protection assessments for activities such as selling personal data, processing sensitive personal data or processing personal data for targeted advertising or profiling purposes or purposes with a heightened risk of consumer harm, weighing benefits against potential risks.
More conservatively and contrary to the CCPA, the GDPR and some other pending state privacy legislation, the current CDPA iteration does not contain a private right of action. Instead, the CDPA gives the Virginia Attorney General exclusive rights to bring enforcement actions and introduces the Consumer Privacy Fund to facilitate enforcement efforts. The CDPA also provides a 30-day cure period before a covered entity may be subject to a $7,500 civil penalty for each violation.
If signed into law, the CDPA will take effect on January 1, 2023, giving covered entities approximately two years to build out their CDPA compliance programs. Virginia-based companies that have not considered other comprehensive privacy laws like the CCPA or the GDPR should start preparing now. This may include:
- Identifying the categories of personal data that they process;
- Updating privacy notices to address new consumer rights;
- Implementing policies and procedures for responding to consumer requests and conducting data protection assessments;
- Verifying that they have obtained the required consent for processing sensitive personal data; and
- Revisiting vendor or other third-party contracts that involve collecting, using, storing, disclosing, analyzing, deleting or modifying personal data.
For companies already governed by the GDPR or CCPA, coming into compliance with the CDPA or other new regional privacy laws will not require wholesale implementation efforts. Instead, companies can leverage their current compliance programs with narrow adjustments tailored to the CDPA.
Preparing for the Virginia law may also help companies stay ahead of the curve. Since January 2021, Connecticut, Minnesota, New York and Washington State have already introduced – or reintroduced – comprehensive privacy laws.
Mullen Coughlin will continue to monitor the CDPA and other comprehensive privacy legislation. If you have any questions, please contact Kevin Mekler (; 267.930.2190), Melissa Sachs (; 267.930.4747) or another Mullen Coughlin representative.