Virginia Consumer Data Protection Act (CDPA), do not wait for 2023!

Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) in March 2021 and grants the Attorney General exclusive authority to enforce violations of the law.

The Virginia Consumer Data Protection Act (CDPA)

The CDPA establishes a framework for controlling and processing the personal consumer data of Virginia residents, and the bill applies to all persons that conduct business in the Commonwealth. Businesses must either control or process personal data of at least 100,000 consumers or derive over 50 percent of gross revenue from the sale of personal data and control or process data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors.

Consumer Rights

Technically speaking, the most labor-intensive exercise for a business is developing and testing a workflow where Virginia data subjects can execute their rights. Specifically:

  1. The consumer has the right to confirm whether a controller is processing their personal details and accessing such information.
  2. Considering the characteristics of the data and the purposes of processing the data, consumers have the right to correct inaccurate personal data.
  3. The consumer has the right to delete personal information provided by or obtained about the consumer.
  4. It is the right of consumers to obtain a portable electronic copy of personal data they have previously provided.
  5. It is the right of consumers to Opt-Out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, and profiling.
  6. The consumer has the right to appeal a business’s denial to act within a reasonable time (within 45 days).

Furthermore, the CDPA has a few important exemptions around data covered by other laws, such as HIPAA, Gramm-Leach-Bliley (GLBA), FCRA, FERPA, and COPPA.

Effective Date

The bill has a delayed effective date of January 1, 2023.


The scope includes personal consumer data that has not been de-identified or is not publicly available for a Virginia resident.

Fines for Violation

Violations of the CDPA will result in fines of up to $7,500 for each violation (not including expenses and any attorney fees incurred in connection with the investigation). In addition, a violation may lead to injunctions and civil penalties.

How Clearview Can Help

The Clearview Group has a six-step approach to Data Privacy. We help your business address compliance and identify GAPs by:

  • Completing an Applicability Assessment regardless of whether or not you already comply with GDPR and CCPA
  • Review of your Data Governance Program
  • Review of your Data Inventory and Hygiene Protocol
  • Review of your Data Classification Matrix
  • Assessing Data Security and Privacy Controls for data-in-use, data-in-transit, and data-at-rest based on the risk profile
  • Assisting with the development of a Consumer Compliance Workflow, whether automated or manual, to respond within 45-days to consumer request

For more information, contact

More in Risk & IT Risk Advisory