BLOG | Cookie Compliance | July 07, 2021

The Virginia Consumer Data Protection Act (CDPA)

The Virginia Consumer Data Protection Act (CDPA) passed on March 2, 2021, making it the next major state since California to shape up the US...


The Virginia Consumer Data Protection Act (CDPA) passed on March 2, 2021, making it the next major state since California to shape up the US Privacy landscape. The CDPA increases the protection of consumers’ data and will further expand consumer privacy rights for Virginia residents.

Though it shares similarities with the GDPR and CCPA, the CDPA establishes new definitions for geolocation data, profiling, targeted advertising, and the sale of personal data.

What Does Virginia’s Consumer Data Protection Act Look Like?

Below is an outline of some of the key aspects of Virginia’s Consumer Data Protection Act

  • Personal Data: The bill defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” 
  • Consumer Rights: The CDPA provides consumers with the right to opt-out of “the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Consumers will also have the right to confirm if their data is being processed, to amend inaccuracies, to data deletion, and to data portability. 
  • Data Protection Assessments: The bill would impose new obligations for assessments, including a requirement for data controllers to carry out data protection assessments of processing activities that involve personal data used for targeted advertising, the sale of personal data, profiling, the use of sensitive data, and the use of any data that presents a heightened risk of harm to consumers. 
  • Consent: Consent is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” Parallels can be drawn between this definition of consent and the definition used in the GDPR. 
  • Enforcement: The Attorney General will have the exclusive right to enforce the law, as there is no provision for a private right of action. The penalty for non-compliance may be up to $7,500 per violation. 

Impact for Organizations

With the CDPA‘s passing, organizations will be subject to vendor management obligations as well as data security and data protection assessment requirements. The CDPA applies to organizations that conduct their business in Virginia, or that produce products or services that are targeted to residents of Virginia and that meet one or more of the following requirements:   

  • Process personal data of at least 100,000 consumers per calendar year 
  • Control and process personal data of at least 25,000 consumers, and the organization derives over 50% of gross revenue from the sale of personal data 

When Will the CDPA Come into Effect?

Following Governor Northam’s signature, the CDPA will come into effect January 1, 2023, giving organizations time to prepare and update their compliance programs.

For more information on how CookiePro can help you comply with the CDPA , request a personalized demo with our team today.

You Might Also Like


10 Steps to Complete Google Data Safety...

View Resource

Google Play Data Safety vs. Apple Nutrition...

View Resource

6 Step Checklist to Complete Google Play’s...

View Resource
Webinar | 45 minutes

Google Play Data Safety: What it Means...

View Resource
Onetrust All Rights Reserved