Virginia

Summary

Law: Consumer Data Protection Act ('CDPA')

Regulator: The Virginia Attorney General ('AG')

Summary: On March 2, 2021, the Virginia State Governor signed the Consumer Data Protection Act (CDPA) into law, which entered into effect on January 1, 2023. The CPDA regulates privacy and data protection matters in Virginia by establishing new definitions and conferring several rights on consumers including access, correction, deletion, portability, and opt-out rights. Furthermore, the CDPA establishes obligations on controllers and processors including rules regarding Data Protection Impact Assessments (DPIAs) and the processing of de-identified data.

In addition, Virginia regulates privacy and data protection matters through the Personal Information Privacy Act which restricts the sale of personal information of customers by merchants as well as the use of social security numbers. Moreover, under Virginia's personal information breach notification law, under §18.2-186.6 of Article 5 of Chapter 6 of Title 18.2 of the Code of Virginia, a personal data breach must be notified to affected consumers and to the Virginia Attorney General (AG) and nationwide consumer reporting agencies when the notification is provided to more than 1,000 persons.

You can follow legislative developments in the US through the USA State Law Tracker.

Browse more content in Virginia

All Guidance Notes

All News

All Insights

News

20 May 2024

Virginia: Governor approves bill for minors' data protection

20 May 2024

Virginia: Governor approves bill to amend CDPA to enhance children's protections

18 April 2024

Virginia: House rejects Governor's amendments to bill to amend CDPA to enhance children's protections

18 April 2024

Virginia: Senate rejects Governor's amendments to bill for minors' data protection

09 April 2024

Virginia: Governor submits amendments to Bill for minors' data protection

09 April 2024

Virginia: Governor submits amendments to Bill to amend CDPA to enhance children's protections

09 April 2024

Virginia: Bill on use of AI by public bodies and establishing AI Commission signed into law by Governor

13 March 2024

Virginia: Bill on use of AI by public bodies and establishing AI Commission sent to Governor for action

12 March 2024

Virginia: Bill to amend CDPA to enhance children's protections sent to Governor for action

12 March 2024

Virginia: Bill for minors' data protection sent to Governor for action

11 March 2024

Virginia: Bill amending CDPA requiring parental consent for minors using social media dies in committee

11 March 2024

Virginia: Bill to amend CDPA to enhance children's protections signed by House Speaker and Senate President

Insights

April 2024

Virginia: Strengthened privacy protections for children's data under consideration

The Virginia General Assembly passed - on a bipartisan vote - legislation to amend the Commonwealth's Consumer Data Protection Act (CDPA) and add specific privacy provisions for the personal data of children. Beth Burgin Waller, Patrick J. Austin, and John Pilch, of Woods Rogers PLC, review the relevant portions of the existing law and changes contained in the new legislation.

April 2023

Virginia: Overview of new genetic data privacy law

Virginia continues to emerge as a leader on privacy legislation passing a new genetic data privacy law which goes into effect on 1 July 2023. Beth Waller, from Woods Rogers Vandeventer Black, and Scott Bauer dissect the genetic data privacy law, covering its main definitions, scope, and provisions, as well as highlighting how it fits within the broader privacy legislation landscape.

February 2023

Virginia: CDPA – a simple and direct approach to privacy

Virginia's Consumer Data Protection Act ('CDPA') is unique in the current US state law privacy patchwork both for its simplicity and direct approach to privacy. Beth Waller and John Pilch, from Woods Rogers PLC, compare the CDPA with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the California Consumer Privacy Act as amended by the California Consumer Rights Act ('CCPA').

December 2022

USA: Practical considerations for meeting opt-out requirements under US state privacy laws - Part two

In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.

Part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws, whereas part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms.

December 2022

USA: Practical considerations for meeting opt-out requirements under US state privacy laws - Part one

Part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms, whereas part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws.

November 2022

USA: Interaction of the GLBA and the CCPA/CPRA

Just as the Gramm-Leach-Bliley Act of 1999 ('GLBA') permits US states to extend greater protections than afforded by the same, states can also choose to exempt GLBA-regulated entities from compliance with state privacy statutes. In this Insight article, David Zetoony and Jena Valdetero, from Greenberg Traurig LLP, discuss how the California Consumer Privacy Act of 2018 ('CCPA') and the California Privacy Rights Act of 2020 ('CPRA') apply to financial institutions, whilst also drawing comparisons to other state privacy statutes' exemptions for financial institutions.

November 2022

USA: Cookie regulation in California, Virginia, Utah, Colorado, and Connecticut - towards a harmonised approach

Over the past few months, there has been an increased interest in consumer privacy laws across the US, with the states of Virginia, Utah, Colorado, California, and Connecticut having recently enacted comprehensive privacy legislation that will enter into effect in 2023. The enactment of these laws means that organisations in the US are subject to new privacy obligations, while consumers welcome their elevated data protection rights, aimed at better protecting consumer privacy.

Both the California Privacy Rights Act of 2020 ('CPRA') and the Virginia Consumer Data Protection Act ('CDPA') will come into force on 1 January 2023. The Colorado Senate Bill 21-190 for the Colorado Privacy Act ('CPA') and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') will take effect on 1 July 2023, whereas the Utah Consumer Privacy Act ('UCPA') will enter into force on 31 December 2023. Though the aforementioned laws do not expressly refer to the use of cookies, many of their requirements (for example, in relation to disclosure) apply to the use of cookies – and organisations should therefore familiarise themselves with these requirements.

In this Insight article¹, we examine the convergences and divergences between the privacy laws of Virginia, Utah, Colorado, California, and Connecticut where they affect cookies, with a view to mapping out a possible harmonised approach to compliance.

September 2022

Virginia: CDPA - FAQs

House Bill ('HB') 2307 to Amend the Code of Virginia by adding in Title 59.1 a Chapter Numbered 52, Consisting of Sections Numbered 59.1-571 - 59.1-581, relating to the Consumer Data Protection Act ('CDPA'), and its State Senate companion bill 1392 were both signed, on 2 March 2021, by the Virginia State Governor.

With Governor Northam having signed the CDPA, Virginia is the second state behind California to create sweeping consumer data privacy protections. The CDPA will enter into effect on 1 January 2023.

May 2022

USA: UCPA compared with CPA, CPDA, and CPRA

Coming in fourth place in the race to enact a comprehensive consumer privacy law, the Utah Consumer Privacy Act ('UCPA) passed through the Utah Senate and House unanimously on 25 February and 2 March 2022 respectively. Three weeks later, on 24 March, Utah Governor Spencer Cox signed Senate Bill ('SB') 227 making it the fourth comprehensive State consumer privacy law in the US.

With an effective date of 31 December 2023, the UCPA joins the Colorado Privacy Act ('CPA'), the Virginia Consumer Data Protection Act ('CDPA'), and the California Consumer Privacy Act of 2018 ('CCPA') (effective now) and the California Privacy Rights Act of 2020 ('CPRA'), which all go into effect in 2023. Of course, in the spirit of US privacy law's rapid development, even at the publication of this Insight article, a fifth consumer State privacy law has just been signed in Connecticut, with similarities and small differences to its four predecessors. Samantha Ettari, Gabriella Gallego, Naa Kai Koppoe, Ellen Choi, and Charlotte Kress, from Perkins Coie, compare the content of the UCPA to the three other States where comprehensive State privacy laws have been passed.

May 2022

Utah: Enforcement under UCPA compared with State privacy laws

Utah recently became the fourth U.S. State to pass comprehensive data privacy legislation, joining California, Colorado, and Virginia. The Utah Consumer Privacy Act ('UCPA') was signed into law on 24 March 2022. The UCPA will enter into force in December 2023, at the same time as California's second comprehensive privacy law - the California Privacy Rights Act of 2020 ('CPRA'), Colorado's privacy legislation - the Colorado Privacy Act ('CPA'), and Virginia's privacy law - the Virginia Consumer Data Protection Act ('CDPA'). Clifford F. Blair and Rachel Naegeli, from Kirton McConkie, compare the enforcement provisions of these four States' privacy statutes.

April 2022

Utah: UCPA compared with State privacy laws and GDPR

On 24 March 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act ('UCPA') into law, making Utah the latest State to adopt comprehensive privacy legislation. The UCPA - along with the California Privacy Rights Act of 2020 ('CPRA'), the Colorado Privacy Act ('CPA'), and the Virginia Consumer Data Protection Act ('CDPA') - make up a new wave of laws going into effect in 2023 ('the 2023 Laws') that will reshape the privacy landscape in the US.

The UCPA tracks closely with the CDPA, and it is unlikely to drastically impact the compliance regime for businesses subject to the other 2023 Laws or the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, the UCPA does include certain differences, largely in ways that narrow its application and lessen the burdens on controllers. In this sense, the UCPA may become a new model for more States that tend to lean more conservative and pro-business. In this article, Gregory Szewczyk, Partner at Ballard Spahr LLP, explores some of these differences.

December 2021

Virginia: CDPA requirements for data controllers

Virginia's Consumer Data Protection Act ('CDPA'), which takes effect from 1 January 2023, is both brief and direct. Controllers, defined in the CDPA as 'the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data', play a central role in protecting consumer data. John Pilch, Cybersecurity/Privacy Analyst at Woods Rogers, describes the obligations of controllers under the CDPA, including adherence to basic principles, providing notices to consumers, enabling the exercise of consumer rights, establishing appropriate contracts with processors, and preparing data protection assessments.

Virginia

Summary

Browse more content in Virginia

News

Insights

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us