On March 2, 2021, Governor Northam made Virginia the second state in the U.S. to enact a comprehensive privacy law, Virginia's Consumer Data Protection Act (CDPA).  We will follow-up with more discussion on how this impacts your business in the lead-up to the law's effective date (January 1, 2023, the same as CPRA), but here are a few highlights:

  • Individuals protected: CDPA regulates data related to Virginia residents in their individual or household capacity.  It specifically exempts individuals acting in a commercial or employment context (i.e., B2B or employee data).  
  • Regulated entities: CDPA regulates "controllers" and "processors" that meet this test: individuals or entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and meet one of two thresholds: (1) control or process personal data of at least 100,000 consumers or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of that data.  CDPA does not apply to Commonwealth agencies or political subdivisions of the Commonwealth, entities or data subject to the Gramm-Leach-Bliley Act, covered entities or business associates governed by HIPAA, non-profits or institutions of higher education.  
  • Enforceability: CDPA does not include a private right of action.  The law may only be enforced by the Virginia Attorney General's Office.  Entities have a 30-day notice and cure period to remedy any violations of the law before the AG can initiate an enforcement action.  

Stay tuned as Womble Bond Dickinson's Privacy and Cybersecurity Team provides more updates in the weeks to come.