Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) into law on March 2nd, 2021, making Virginia the second state to enact a data protection law — only preceded by California's CCPA. The law will go into effect on January 1st, 2023.
The CDPA affirms consumers' rights to access and control their personal data. Any entity controlling and processing personal data must follow the responsibilities outlined in the law.
This article provides a brief and summarized overview of the law. You can read the full text of the Consumer Data Protection Act here.
Who must comply with the CDPA?
The law applies to anyone that conducts business in Virginia or produces products or services that are targeted to residents of Virginia AND satisfy one of the following:
- Control or process personal data of at least 100,000 consumers
- Control or process personal data of at least 25,000 consumers AND derive 50% of gross revenue from the sale of personal data.
What are the requirements of the CDPA?
The law provides consumers with data rights and defines the responsibilities of both controllers and processors of data. It is imperative to understand the definition of each entity: