Virginia’s Consumer Data Protection Act (CDPA) is Imminent: What Does That Mean?

It looks like there will be a new acronym to learn for people working in Legal, IT, Data Privacy, and Compliance. Virginia is set to be the second state to pass a data privacy act which mimics Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), giving consumers access to personal data collected by a company, as well as the ability to opt out of processing personal data for purposes of targeted ads, sale, or profiling.

According to the National Law Review, Virginia’s Consumer Data Protection Act (CDPA) also expands the state’s definition of personal data, to include “sensitive data”: race, religion, sexual orientation, mental or physical health diagnosis, biometric data, personal data collected from a known child, and precise geolocation” among other categories.

For a deeper look at how the use of personal information can have far-reaching effects beyond the annoyance of receiving targeted ads, check out Doug Austin’s blog post about the Norwegian Data Protection Authority fining the popular gay dating app Grindr $11.7 million, for “illegally disclosing private details about its users to advertising companies.”


The CPDA will apply to “businesses that conduct business in Virginia, or produce products or services that target Virginia residents,” with some specifics on the number of customers they collect data from: CPDA applies to businesses who have more than 100,000 customers; or, if half of their revenue is derived from selling personal data, that number goes down to 25,000.

There doesn’t seem to be a data minimization clause in the CDPA, as there is in the GDPR or the recently passed California Privacy Rights Act (CPRA), which will supersede the CCPA but won’t be fully operative until January 1st, 2023. Data minimization clauses state that personal data collected, stored, and used by companies must be limited to only that which is relevant, adequate, and absolutely necessary. The exact language of the CPRA states a business “shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary.”

The presence of data minimization requirements puts pressure on companies to maintain clear retention policies and information governance programs. But even without them, the protection of consumer data under laws like those in California, as well as the looming Virginia law, means that forward looking organizations will be working to stay ahead of the curve on being good stewards of their customer’s data. Then again, maybe they won’t.

One of the main criticisms with the GDPR and the CCPA is that the penalties aren’t strong enough to push companies towards compliance. A corporation worth billions won’t think twice about paying a fine of a few million dollars. It’s simply the price of doing business, especially when it comes to having insights into consumer data.

Virginia’s CDPA does differ from California’s law when it comes to enforcement: there is no private right of action for consumers, but instead the Virginia Attorney General has exclusive authority to enforce violations and can award damages maxing out at $7,500 per violation. Whether this will be enough of a deterrent is yet to be seen.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.


Leave a Reply