Virginia Data Protection Act Becomes Law

On March 2, 2021, Virginia’s governor signed into law the Virginia Consumer Data Protection Act (“CDPA”), which establishes a framework for controlling and processing personal data in Virginia. Following the California Consumer Privacy Act (“CCPA”), the CDPA allows consumers to opt out of data collection, but unlike the California’s law, it does not allow for a private cause of action.

The CDPA applies to all persons who conduct business in Virginia or produce products or services that are targeted to Virginia and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. Thus, like the CCPA, the CDPA potentially applies to businesses across the country and around the world.

The CDPA requires data controllers — defined as a “natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data” — to limit the collection or processing of personal data to what is “adequate, relevant, and reasonably necessary.” Data controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The CDPA prohibits data controllers from discriminating against a consumer for exercising any of the CDPA’s consumer rights and from processing a consumer’s “sensitive data” without consent.

Additionally, data controllers must conduct a “data protection assessment, for certain processes involving personal data. The assessment must “identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.” The controller must provide this assessment to the Attorney General upon request.

The CDPA also requires data controllers to issue a “reasonably accessible, clear, and meaningful” privacy notice. The privacy notice must include (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) the mechanism by which consumers may exercise their consumer rights under the CDPA; (4) the categories of personal data that the controller shares with third parties, if any; and (5) the categories of third parties, if any, with whom the controller shares personal data. Data controllers must also publish to consumers a privacy notice that describes the means for consumers to submit a request pursuant to the CDPA.

Consumers may request data controllers to (1) confirm whether or not a controller is processing the consumer's personal data and to access such personal data; (2) correct inaccuracies in the consumer's personal data; (3) delete personal data provided by or obtained about the consumer; (4) obtain a copy of the consumer's personal data; and (5) opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. The controller must comply with an authenticated request within 45 days, with the option for a 45-day extension upon notification to the consumer.

Unlike the CCPA, the CDPA does not provide a private right of action. Rather, the Attorney General has exclusive authority to enforce the CDPA, and the CDPA establishes a Consumer Privacy Fund to support this effort.

The CDPA will become effective January 1, 2023.