Earlier this week, the Consumer Data Protection Act (CDPA) was signed into law by Gov. Ralph Northam in Virginia. Virginia will now be the second state with a comprehensive data privacy regulation on the books, after California with the CCPA and the upcoming CPRA.
What’s notable about the new Virginia privacy law
The DataGrail team has been following the development of the CDPA closely. While there are plenty of great recaps of the new law, including from the Washington Post and IAPP, here’s what we think you should know now.
- It’s slated to take effect on Jan. 1, 2023. This date might sound familiar to our general counsel and compliance friends—it’s the same day the CPRA will take effect.
- Unlike CCPA and CPRA, a company’s annual revenue is not a criteria for whether it has to comply with the CDPA. (Although, there is a threshold for the percentage of revenue that comes from selling personal data, 50% or more.)
- The CDPA takes an opt-out approach. Consumers can opt out of the sale of their data, targeted advertising, or profiling. This opt-out scope is more extensive than the CCPA.
- There’s no “right of private action.” Consumers can’t directly sue companies for data privacy violations.
- The law makes the state attorney general responsible for enforcement, rather than creating a new enforcement agency. Fines will be $7500 per violation.
- If your business is pursuing compliance with the GDPR and the CPRA, you’re in a good place to comply with Virginia’s CDPA. The law has a lot of similarities with the GDPR and the CPRA. (For example, it creates specific obligations for “sensitive data,” not just PII.)
Momentum is building for a national data privacy regulation
The passage of CDPA in Virginia shows that people are fed up with how privacy is treated in the modern world. People want to be in control of their privacy and identity, and lawmakers are responding. We expect more states will be passing data privacy regulations. (The state of Washington is going for its third try to pass legislation—it passed in their state Senate on March 3rd.) Of course, all the state activity creates pressure at the national level to pass comprehensive data privacy legislation. Companies would vastly prefer aligning to one set of rules, rather than tracking nuances in compliance across multiple state regulations. So federal legislation is likely inevitable, though it’s still uncertain when the Biden administration will push for it.
DataGrail is ready to help fulfill CDPA compliance
Our platform was designed from the ground up to help customers immediately adapt their privacy programs to nuances in the different regulations. So DataGrail customers can rest assured that we’ve got their back, and we’ll help them ensure compliance with CDPA, and whatever other regulations arise.
Stay up to date on Subscribe to our Weekly Grail to stay informed on industry news, and check back often for answers to some of the more complex questions as we dive deeper into CPRA.