The Virginia Consumer Data Protection Act (CDPA) is a comprehensive state-level privacy law that governs how businesses collect, use, and protect personal data of Virginia residents. Enacted in March 2021 and effective as of January 1, 2023, the CDPA establishes key consumer rights and outlines business obligations to ensure transparency and accountability in data practices. It reflects a growing trend in U.S. states enacting their own privacy frameworks in the absence of a unified federal law.
What is CDPA?
The CDPA is designed to provide Virginia residents with greater control over their personal information, while imposing new responsibilities on businesses that process such data. Inspired by the GDPR and other state laws like CCPA, the CDPA introduces core privacy principles including:
- Data minimization
- Purpose limitation
- Consumer rights
- Security requirements
- Consent for sensitive data processing
While similar in many ways to other privacy laws, the CDPA includes unique definitions and requirements that businesses must carefully evaluate.
Who does the CDPA apply to?
The CDPA applies to for-profit businesses that operate in Virginia or target Virginia residents and meet at least one of the following thresholds:
- Control or process personal data of at least 100,000 Virginia residents during a calendar year, or
- Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.
Unlike some other laws, CDPA does not apply to individuals acting in a commercial or employment context, nor to nonprofit organizations.
What are consumer rights under CDPA?
Virginia residents are granted several important rights under the CDPA:
- Right to access personal data collected about them.
- Right to correct inaccuracies in their personal data.
- Right to delete personal data provided or obtained about them.
- Right to data portability – to receive their data in a usable format.
- Right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Businesses must respond to consumer requests within 45 days and provide an appeals process if a request is denied.
What are the penalties for non-compliance with the CDPA?
The Virginia Attorney General is responsible for enforcing the CDPA. Businesses that fail to comply may face:
- Civil penalties of up to $7,500 per violation,
- Injunctive relief to stop non-compliant practices,
- Mandatory cures within 30 days of notice (this cure period may be removed in future versions of the law).
Currently, the CDPA does not include a private right of action, meaning consumers cannot directly sue businesses for violations.
Does the CDPA apply only in Virginia?
No. The CDPA applies to any business that targets or serves Virginia residents, regardless of where the business is based. This means companies located outside of Virginia — or even outside the United States — may be subject to CDPA requirements if they meet the data processing thresholds and engage with consumers in Virginia.
How does Consentise help with CDPA compliance?
Consentise helps your organization stay aligned with the CDPA by:
- Providing clear, customizable consent banners and opt-out mechanisms for targeted advertising and data sales.
- Supporting data subject rights management, including access, correction, deletion, and portability requests.
- Logging user preferences and consents for compliance and auditing purposes.
- Ensuring transparency in how personal and sensitive data is collected and used.
- Assisting in the creation of privacy policies and user notices tailored to Virginia’s legal requirements.
Consentise simplifies compliance so your business can focus on delivering value while respecting privacy.