Virginia governor Ralph Northam has signed a new state data protection act into law.
The Virginia Consumer Data Protection Act (CDPA) requires people conducting business in the Commonwealth of Virginia to comply with a novel set of data security and privacy requirements.
The CDPA, which mirrors some of the provisions laid out in the EU’s General Data Protection Regulation (GDPR), comes into effect on January 1, 2023.
Businesses found to have violated the CDPA will be given 30 days to correct their behavior before they are fined up to $7,500 per violation by the Virginia attorney general.
While similarities exist between the CDPA and the GDPR and also between the CDPA and the California Consumer Privacy Act (CCPA) that took effect on January 1, 2020, the laws are different enough so that compliance with one does not equal compliance with the other.
Under the CDPA, Virginia residents have the right to view and obtain the personal data held by a covered entity, to correct errors in it, and to delete it.
Other consumer rights granted to Virginians under the new law allow them to opt out of processing of personal data for targeted advertising purposes and to appeal the denial of a business to act on a request within a time frame of 45 days.
Consumers cannot take legal action against a business if they believe their CDPA rights have been violated as the new law contains no private right of action.
The CDPA applies to any person or business that controls or processes the personal data of 100,000 or more residents of Virginia in a calendar year. It also applies to any business or person that controls or processes the data of 25,000 or more Virginia residents in a calendar year and also derives 50% or more of its gross revenue from the sale of personal data.
Under the law, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
Nonprofit organizations, higher education institutions, and any body, authority, board, bureau, commission, district, or Virginian agency or Virginian political subdivision are exempt from CDPA compliance.