Virginia Introduces Consumer Data Protection Act

Virginia Introduces Consumer Data Protection Act

On 2 March 2021, Governor Northam of Virginia signed the next U.S. privacy bill into law: the Virginia Consumer Data Protection Act (CDPA) will apply as of 1 January 2023 and will offer a range of new rights to the residents of the Old Dominion. Like the California Consumer Privacy Act (CCPA), the CDPA includes a clear threshold: businesses are covered as long as they process the personal data of 100,000 Virginia residents on an annual basis, or of 25,000 Virginia residents if over fifty percent of their gross revenue is derived from the sale of personal data. 


If either threshold is met, businesses will be required to extend a range of new individual rights to their customers:


A right to understand if personal data about them is processed or not, including extensive notice requirements;
A right of access to all personal data processed;
A right to correct any erroneous personal data;
A right to delete personal data;
A right to data portability, ideally offering the personal data of the individual in a readily available format to facilitate the move to another data controller;
A right to opt-out of the sale of personal data, as well as the processing of personal data used for targeted advertising and profiling.

The exercise of individual rights is free of charge, and can be executed up to twice a year. The company will have 45 days to respond, and may extend this deadline with another 45 days if more time is needed. In this case, a reason for the delay needs to be provided. If the request cannot be fulfilled, it should be declined with justification. Individuals will need to make sure at all times they are able to prove their identity, to ensure t ..