Privacy-proof your website for CDPA compliance
Implement all your CDPA compliance requirements under one roof! Display an opt-out notice and provide privacy disclosures for foolproof compliance.
The #1 cookie consent solution, trusted by 1.4 Million+ websites
The Virginia Consumer Data Protection Act (CDPA) is a state-wide data privacy law that applies to businesses that process the personal information of Virginia residents. The CDPA regulates how businesses process consumers’ personal information and provides them with rights over their data. Virginia CDPA came into effect on January 1, 2023.
CDPA Compliance Checklist for Websites
- Provide opt-out from the sale of personal data, targeted advertising and profiling
- Include an up-to-date and accessible privacy policy and cookie policy
- Limit data collection only for relevant data and legitimate purposes
Prepare for CDPA Compliance with CookieYes
Implement an opt-out notice
Under CDPA, when businesses sell personal data or use it for targeted advertising (including the use of third-party cookies) or profiling, they should disclose this information in a clear and conspicuous way and inform consumers how to opt-out.
With CookieYes you can
Automate consent management
To respect users’ right to opt-out under CDPA, it’s necessary to ensure that websites set third-party cookies only based on users’ consent preferences and ensure continuous compliance.
With CookieYes you can
Generate a compliant privacy policy
Under the CDPA, businesses should implement an accessible, clear, and meaningful privacy notice on their website and include information on the personal data collected, the purpose of collection, how to exercise user rights, and more.
Achieve regulatory compliance with ease
with our no-code cookie consent solution
Learn more and take the first step
towards compliance
What is CDPA?
The Consumer Data Protection Act (CDPA) is a data protection legislation from Virginia, United States. Virginia CDPA imposes obligations on companies for processing personal data and grants rights to individuals regarding their personal data.
The CDPA came was passed on March 2, 2021 and enforcement began on January 1, 2023. Virginia is the second US state after California to enact a comprehensive consumer privacy legislation officially.
Who does CDPA apply to?
The CDPA applies to for-profit businesses that conduct business in Virginia or market their goods and services to Virginia residents and either
- Controls or processes the personal data of at least 100,000 consumers in a year or
- Controls or processes the personal data of at least 25,000 consumers and derives at least 50% of its gross revenue from the sale of personal data.
The CDPA does not apply to certain government agencies, non-profit organizations higher education institutions, financial institutions subject to the GBLA, covered entities or business associates governed by HIPAA and HITECH.
What are consumer rights in CDPA?
Right to access
The right to confirm whether a controller is processing the consumer’s personal data and to access the personal data.
Right to opt-out
The right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling.
Right to correct
The right to request to correct, update, or complete personal data about them.
Right to delete
The right to delete personal information that a business has collected from them.
Right to data portability
The right to obtain a copy of their personal data in a portable and readily usable format and transfer it to another data controller.
What is the penalty for non-compliance?
Businesses can get civil penalties of up to $7500 for each violation including Attorney fees. Businesses will have a 30-day cure period to rectify violations before the Virginia Attorney General takes action.
Virginia’s CDPA also opens for financial recovery of legal fees and investigative costs, and violations are not limited to “intentional violations”. Unlike California’s CCPA, the law explicitly excludes a private right of action.
FAQ on CDPA Compliance
The Virginia Consumer Data Protection Act (CDPA) is a data privacy law that regulates data processing in the state of Virginia. It was signed on March 2021 and took effect on January 2023. This makes Virginia the second US state to enact a consumer privacy law, following in the footsteps of California. The Virginia CDPA builds on frameworks of California’s CCPA and the European Union’s GDPR.
The CDPA defines personal data broadly as any information that is linked or can be reasonably linkable to an identified or identifiable natural person. Data available in the public domain and anonymised data are excluded from the definition of personal data. Personal data, therefore, can be identifiers such as name, identification number, IP addresses, biometric information or characteristics such as race, ancestry, religion, age, sex, sexual orientation, gender, medical condition etc.
The CDPA protects a “sensitive” category of personal data. This includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying a natural person, and personal data collected from minors or precise geolocation data.
The Virginia Attorney General is the exclusive regulatory authority to enforce CDPA and has the power to impose a civil penalty of up to $7,500 per violation.
The Virginia CDPA has many similarities with the California Consumer Privacy Act (CCPA). Despite similarities, they have key distinctions in scope and enforcement. Some notable differences are:
- CCPA considers revenue as one basis for its applicability, while CDPA applies if a business controls or processes at least 100,000 consumers’ personal data.
- Unlike the CCPA, the CDPA does not have the provision for a private right of action for non-compliance.
- The CCPA gives users the right to opt out of businesses from the sale of their personal data. The CDPA broadens the scope to include targeted advertising and user profiling.
Here are some links you can refer to for additional reading:
Fast-track your CDPA compliance in minutes
Set up an opt-out banner in 3 simple steps and automate your compliance.