The Commonwealth of Virginia passed the Consumer Data Protection Act (CDPA) into law on March 2, 2021, following overwhelming bipartisan support for a state consumer privacy law. Virginia becomes the second U.S. state behind California to institutionalize a comprehensive consumer privacy law for businesses to govern, control and lawfully process personal information of Virginia’s residents. The law goes into effect on January 1, 2023.
The CDPA applies to all persons who conduct business in the Commonwealth and either control or process personal data of at least 100,000 consumers or derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The law outlines responsibilities and privacy protection standards for both data controllers and data processors.
Protiviti has published a Flash Report that outlines the provisions of the law and key considerations for businesses as they seek to comply with the new law. Businesses that have made changes within their organization to comply with the California privacy laws will find it easier to align with the CDPA, although there are specific nuances to be considered for the Virginia privacy law.