Virginia has followed in California’s footsteps and passed its own data and consumer privacy law, making it the second state (or, commonwealth) to pass a proactive data privacy law governing the collection and use of consumers’ personal information. The Virginia Consumer Data Protection Act (CDPA) was signed into law in March. While there is time to prepare before the CDPA goes into effect Jan. 1, 2023, the law brings privacy regulations closer to home for businesses on the East Coast and in the mid-Atlantic that may have ignored the potential applicability of the California Consumer Privacy Act.

Applicability of the CDPA

The first question for businesses to ask themselves is whether the CDPA will even apply to them. The CDPA applies to organizations that conduct business in Virginia or target their products and services to residents of Virginia; and either process personal data of at least 100,000 consumers during a calendar year, or process personal data of at least 25,000 consumers and derive more than 50% of gross revenues from sales of such data.