BLOG | Cookie Compliance | July 07, 2021

The Virginia Consumer Data Protection Act (CDPA)

The Virginia Consumer Data Protection Act (CDPA) passed on March 2, 2021, making it the next major state since California to shape up the US...


The Virginia Consumer Data Protection Act (CDPA) passed on March 2, 2021, making it the next major state since California to shape up the US Privacy landscape. The CDPA increases the protection of consumers’ data and will further expand consumer privacy rights for Virginia residents.

Though it shares similarities with the GDPR and CCPA, the CDPA establishes new definitions for geolocation data, profiling, targeted advertising, and the sale of personal data.

What Does Virginia’s Consumer Data Protection Act Look Like?

Below is an outline of some of the key aspects of Virginia’s Consumer Data Protection Act

  • Personal Data: The bill defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” 
  • Consumer Rights: The CDPA provides consumers with the right to opt-out of “the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Consumers will also have the right to confirm if their data is being processed, to amend inaccuracies, to data deletion, and to data portability. 
  • Data Protection Assessments: The bill would impose new obligations for assessments, including a requirement for data controllers to carry out data protection assessments of processing activities that involve personal data used for targeted advertising, the sale of personal data, profiling, the use of sensitive data, and the use of any data that presents a heightened risk of harm to consumers. 
  • Consent: Consent is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” Parallels can be drawn between this definition of consent and the definition used in the GDPR. 
  • Enforcement: The Attorney General will have the exclusive right to enforce the law, as there is no provision for a private right of action. The penalty for non-compliance may be up to $7,500 per violation. 

Impact for Organizations

With the CDPA‘s passing, organizations will be subject to vendor management obligations as well as data security and data protection assessment requirements. The CDPA applies to organizations that conduct their business in Virginia, or that produce products or services that are targeted to residents of Virginia and that meet one or more of the following requirements:   

  • Process personal data of at least 100,000 consumers per calendar year 
  • Control and process personal data of at least 25,000 consumers, and the organization derives over 50% of gross revenue from the sale of personal data 

When Will the CDPA Come into Effect?

Following Governor Northam’s signature, the CDPA will come into effect January 1, 2023, giving organizations time to prepare and update their compliance programs.

For more information on how CookiePro can help you comply with the CDPA , request a personalized demo with our team today.

You Might Also Like

White Paper

Italian Garante Cookie Guidelines: What You Need...

View Resource

Italian Garante: Guidelines & Setup Checklist

View Resource

Types of Cookies and Other Tracking Technologies

View Resource
Webinar | 45 minutes

Going Mobile (App): How to Enhance Privacy...

View Resource
Onetrust All Rights Reserved