Consumer Data Protection Act (state of Virginia US) - CDPA

The Consumer Data Protection Act (state of Virginia US) (CDPA) applies to businesses that conduct business in Virginia or produce products or services that target Virginia residents and that (1) during a calendar year, control or process personal data of at least 100,000 consumers or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The CDPA is scheduled to go into effect on January 1, 2023.

The CDPA defines “personal data” as any information that is linked or reasonably associated to an identified or identifiable natural person — also includes households.

Under this Virginia Data Privacy Law, consent is required to process “sensitive data” which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, biometric data, personal data collected from a known child, and precise geolocation data. This data privacy law explicitly excludes “de-identified data or publicly available information, “but not pseudonymous information.

This regulation introduced the following consumer rights:

  • Right to know, access, and confirm
  • Right to deletion
  • Right to opt-out of sale (defined as the exchange of personal data for a monetary consideration)
  • Right to opt-out of processing for targeted advertising
  • Right to opt-out of profiling
  • Right to nondiscrimination
  • Right to data portability
  • Right to rectification/correction

The regulation requires Data Protection Assessments for the following processing activities:

  • The processing of personal data for targeted advertising,
  • The sale of personal data,
  • The processing of personal data for purposes of profiling,
  • The processing of sensitive data,
  • Processing activities involving personal data that present a heightened risk of harm to consumers.


  • Individuals acting in a commercial or employment context,
  • Financial institutions subject to GLBA
  • Health Care entities under HIPAA.

Privacy Notice

The CDPA does not expressly require businesses to display a privacy notice at or before the point of the collection of personal data, nor does it require businesses to provide a “do not sell my information” link.


The CDPA requires controllers to enter into contracts with processors to govern the processing of personal data by a processor on behalf of the controller.