The California Consumer Privacy Act was the trailblazer in the US in terms of personal data processing activities. The Virginia Consumer Data Protection Act (CDPA) is the second of its kind to hit the States. 


But what exactly are the CDPA requirements, and when does the CDPA apply? From a consumer side, what changes in terms of Virginia residents’ personal information? And how can businesses protect themselves against a CDPA violation?


Carry on reading for a crash course on all you need to know about Virginia CDPA compliance.


What about other U.S. states? To learn more about the big picture of data privacy in the United States and access our updated map and law tracker, head to our dedicated blog post:


Featured image of a blog post on consumer data privacy laws in the United States, along with a flag of the USA and the label "Country Focus"







What is the CDPA?


Passed by the Virginia attorney general on March 2, 2021, the CDPA was enacted to provide consumers with greater transparency and control over their personal information. 


The CDPA will be effective on January 1, 2023.


From the perspective of Virginia residents, the CDPA protects consumers’ privacy rights. 


From a company perspective, this regulation allows enterprises to ensure their data practices promote transparency and protection, also protecting sensitive information against data breaches. 


Given that 75% of consumers say they won’t purchase from a company they don’t trust with their data (Harris poll for IBM, 2018), the benefits of a redefined data strategy are threefold: regulatory, ethical, and in terms of gross revenue. 


Put simply, this landmark law is a win-win situation.


What consumer rights does the CDPA grant?


The CDPA security controls grant Virginia residents greater control over sensitive data treatment enacted by businesses. 


Specifically, the law allows consumers services such as:


  • The right to opt out of targeted advertising.

  • The right to delete their data.

  • The right to opt out of the sale of personal data. 

  • The right to data portability (the ability to transfer data from one platform to another). 


So, what does this mean for companies? How can businesses ensure that Virginia residents have the sensitive data rights they deserve? 


Mockup of a consent banner presenting various option to users, including "do not sell or share my personal information", "limit the use of my sensitive personal infromation", and "agree and close", along with a label "Global Privacy Control signal detected and applied". On the left side of the image, an american flag.


What are the requirements and what is a service provider under CDPA?


The CDPA (as the GDPR and CCPA), enables consumers with the ability to access, correct, delete and receive a copy of their personal data upon request. Companies must take action to address customer data requests with consumer-directed personal assistance within 45 days. 


The CDPA requires companies to make additional disclosures surrounding their data processing activities, individual rights, and consumer requests. Organizations are also required to perform impact assessments and deliver exemplary consumer-directed personal assistance.


Under the CDPA, service providers are considered "processors." A processor would refer to any entity performing a task for the data "controller" —  the company collecting the data and deciding how to use it.


What are the rules on targeted advertising? 


Put simply, users have the right to opt out of their data being used for targeted advertising. 


The law defines targeted advertising as the use of Virginians' personal data to deliver ads based on data from third-party websites or apps in order to predict preferences or interests. 


However, there are additional disclosures. The Virginia law does not apply to:


  • Ads based on activities within a data controller's own website or app.

  • Ads based on a consumer's search query, website visit, or online application (consumer-directed personal assistance).

  • Ads based on consumer requests for information. 

  • Personal data processed only to measure or report advertising performance/reach. 


Who does the CDPA apply to?


We’re here to answer the question on everyone’s lips: “Do I have to comply with the CDPA?”.  The CDPA applies to businesses that: 


  • Control or process the personal information of at least 100,000 consumers (defined as Virginia residents). 


Or to businesses that: 


  • Control or process the data of at least 25,000 consumers and make 50% or more of their gross revenue per calendar year from the sale of personal data.


The CDPA exempts companies that are subject to HIPAA, GLBA, and other regulations. 


What are the penalties, and who enforces CDPA?


Infringement of the CDPA law can amount to fines of up to $7,500 per violation.


The Data Protection Act CDPA will be enforced by the Virginia Attorney General. Notably, there is not a private right of action.


There is a 30-day “Right to Cure” of potential violations. This is an appropriate agreement that gives businesses the ability to right any potential wrongs, given this type of legislation is relatively new, particularly in the US.


Is There an Easy Way to Comply with CDPA? 


We’re coming to the end of our CDPA crash course. But we’re now reaching the most important part. 


It’s all very well knowing the CDPA requirements, but how can companies implement these effectively and fool-proof for all personal data practices?


Companies have until January 2023 to comply, but it’s better to act sooner rather than later. Put simply, compliance should not be a matter of last-minute guesswork. 


This is why Didomi is here to help. 


A bespoke Didomi privacy notice (Consent Management Platform) allows companies to show exemplary compliance and reduce legal risk without sacrificing performance and data visibility. 


Thanks to our solution, consumers are able to opt in or opt out of personal data processing activities. 


97% of companies have seen benefits like a competitive advantage or investor appeal from investing in privacy (Cisco 2019 Consumer Privacy Survey). 


The benefits of optimal consent management technology should not be underestimated. 


Contact Didomi for any Virginia Consumer Data Protection Act or California Privacy Rights Act queries or for more information on our solutions. We’ll ensure you achieve CDPA compliance. 


Talk to an expert