Skip to main content

Virginia Enacts New Data Privacy Law

Virginia governor Ralph Northam

Posted by Chris Alarie on Fri, 03/05/2021 - 15:23

Virginia Governor Ralph Northam signed a bill into law on Tuesday that gives his state’s residents significant data privacy protections. Known as the Consumer Data Protection Act (CDPA), the law makes Virginia the second such state to institute these sorts of regulations, following California’s passage of the California Consumer Privacy Act (CCPA) in 2018.

The CDPA applies to entities that conduct business in Virginia or have products or services that are targeted to Virginia residents. The entities that are bound to the strictures of the law are those that meet one of the following two conditions:

  • They control or process the personal data of at least 100,000 consumers per year; or
  • They control or process the personal data of at least 25,000 consumers and derive at least 50% of their gross revenue from the sale of personal data.

The CDPA allows Virginia residents to opt out of having their personal data tracked and request that businesses confirm whether or not they are tracking their data. It also gives residents the right to request that their personal data be deleted, the right to correct inaccuracies in their data, and the right to obtain copies of whatever data has been collected about them.

The law does offer some exemptions, including some designed to prevent conflicts with other laws such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). Nonprofits, higher education institutions, and elements of Virginia’s state and local governments are also exempt from these regulations.

The CDPA is largely similar to the CCPA with one key distinction: the CDPA does not contain a private right of action. The law takes effect on January 1, 2023.

In general, the CDPA and CCPA are the beginning of a likely trend in state-level privacy legislation. At least 25 states are currently considering some sort of consumer data privacy legislation, with Washington especially likely to pass something this year. This is an important and evolving subject area that bears continued attention.