Virginia took one step closer the end of last week to becoming the second state with its own comprehensive data privacy legislation, as the Virginia General Assembly voted to send the Consumer Data Protection Act (“CDPA”) to the desk of Governor Ralph Northam. Governor Northam has previously expressed support for the measure and is expected to sign the bill into law. It would take effect on January 1, 2023 and set a framework for collecting, controlling, and processing personal data in the Commonwealth of Virginia.

CPW previously shared Lydia de la Torre‘s fantastic write up of the CDPA and some of the key differences between the CDPA and the California Consumer Privacy Act (“CCPA”). Similar to the CCPA, the CDPA would give Virginia consumers the right to access their data, correct inaccuracies, and request the deletion of information. Virginia residents would also be able to opt out of data collection under certain circumstances. However, the CDPA does not include a private right of action for data breaches: violations of the Virginia law are enforceable only by the state Attorney General.

The CDPA applies to all persons that conduct business in Virginia or produce goods or services targeted at Virginia and either “(i) during a calendar year, control or process personal data of at least 100,000 consumers” or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” However, it does not contain an independent revenue threshold–by comparison, the CCPA applies to all businesses with an annual gross revenue of over $25 million that do business in the State of California and collect personal data from California residents. A “consumer” is defined as “natural person who is a resident of the Commonwealth acting only in an individual or household context,” excluding those acting in commercial or employment contexts. This is unlike the CCPA, which also applies to individuals acting in those capacities. Similar to the CCPA, the CDPA also exempts state and local governmental entities, as well as certain categories of data and information already covered by federal law, such as protected health information governed by HIPAA.