Virginia swiftly passes Consumer Data Protection Act

Virginia’s Consumer Data Protection Act (CDPA), known formally as Senate Bill 1392, flew through the Virginia legislature after being introduced in mid-January of this year. Governor Ralph Northam signed the bill into law on Tuesday, March 2, and it will become effective on Jan. 1, 2023.

The passage of the CDPA provides residents of Virginia with a comprehensive data privacy law governing the collection, control and processing of their personal data. The law draws many similarities to the European Union’s General Data Protection Regulation (GDPR), including in its definitions of personal and sensitive personal data, and seems to be modeled after the Washington Privacy Act, which has not yet made it through the Washington state legislature.

The law’s material scope, the “who” that will be required to comply, is reminiscent of the Washington Privacy Act as well as the California Consumer Privacy Act (CCPA). Persons and entities that conduct business within the commonwealth and/or target their products and services to residents of the commonwealth will be required to comply in instances when:

1. The personal data of 100,000 Virginia residents, at minimum, is processed in a given calendar year; or
2. The personal data of 25,000 Virginia residents is processed and over 50% of gross revenue is derived from the sale (as defined) of personal data

To be sure, there are exemptions to compliance. We will not list them all here, but personal data governed under federal law, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), is generally exempt.

Resembling the GDPR, the CDPA adopts the terms “controller” and “processor” as well as similar meanings and responsibilities such as recognizing “personal data rights,” transparency through privacy notices and governing the relationship under a formal contracts. Another similarity is the requirement for controllers to perform “data protection assessments.” The goal of such assessments is consistent: identify and weigh the potential benefits of the activity against the potential risks to the rights of the consumer.

However, the CDPA goes a step further by defining within its text when businesses must perform an assessment. In addition to the general requirement that an assessment take place any time a processing activity will present a heightened risk of harm to consumers, the CDPA specifically requires an assessment for each of the following personal data processing activities: