The state of Virginia signed a new consumer privacy law into effect on March 2, 2021: the Consumer Data Protection Act, more commonly known as the CDPA. 

The CDPA is the latest in a series of tough consumer privacy laws, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). For businesses that collect personally identifiable information about their customers, employees, or other individuals, the proliferation of these next-generation privacy laws can pose profound compliance challenges. 

In this post, we’ll take a deeper look at Virginia’s Consumer Protection Privacy Act, how it compares to similar regulations around the processing of personal data, and how businesses might need to retool their privacy and cybersecurity programs to assure compliance.

What Laws Exist to Protect Consumer Data?

There are hundreds of data privacy laws at the state and federal level, plus yet more privacy regulations in countries overseas. The most notable ones include:

  • The Health Insurance Portability and Accountability Act (HIPAA). A U.S. federal law that requires healthcare organizations to implement data privacy protection and security controls to protect private health information (PHI) from unauthorized access or from disclosure without written consent from the patient.
  • The Gramm-Leach-Bliley Act. Another U.S. federal law, which requires financial institutions, or businesses that provide financial services, to protect consumers’ financial information and to disclose data collection and sharing practices to their customers by means of privacy notices.
  • The General Data Protection Regulation (GDPR). A law passed by the European Union (EU), it requires organizations located anywhere in the world that target or collect data from EU residents, to obtain consent via opt-in, before collecting any personal data. 
  • The Fair Credit Reporting Act (FCRA). A U.S. federal law that requires consumer reporting agencies to be accurate and fair in their credit decisions and maintain the privacy of any consumer information obtained. 
  • The California Consumer Privacy Act (CCPA).  A California state law that applies to businesses headquartered in California or to businesses that collect data about California residents. Among other things, the CCPA requires covered businesses to disclose the information they’ve collected about California residents when those persons request to see it.
  • The California Privacy Rights Act (CPRA). A California state law that specifies that residents can opt-out of both the sale and sharing of their personal data with third parties. This law provides a point of clarity for CCPA, since the CCPA’s definition of “selling” does not expressly include sharing data.
  • Finally, the Virginia Consumer Data Protection Act (CDPA). This new law combines elements of the GDPR, the CCPA, and CPRA. Like those three, the CDPA is predicated on the idea that personal information is the property of the person in question, not the organization that collects it — and, therefore, the business collecting the information has certain duties of care with personal data that it must meet.

What Is the Difference Between the CCPA and Virginia’s CDPA?

Foremost, the CCPA protects the privacy of residents of California, whereas CDPA protects the citizens of Virginia. 

Another major difference: the CCPA allows California residents to file private civil lawsuits against an organization for unauthorized disclosures of personal data; Virginia’s statute does not. (Attorneys can still file tort claims trying to prove negligence, fraud, or other violations of the CDPA in a court of law anyway.)

Both laws do allow their respective residents the right to manage and obtain a record of the personal data that an organization might have about them. Both laws also require businesses to obtain consent regarding the collection and saving personal data. 

Who Is Subject to the CDPA? 

According to the official site for The Virginia CDPA, the law applies to: 

“persons that conduct business in the Commonwealth [of Virginia] or produce products or services that are targeted to residents of the Commonwealth” and that meet either of the following thresholds: 

  • Annually control or process personal data of at least 100,000 Virginia residents; or
  • Control or process personal data of at least 25,000 Virginia residents and derive more than 50 percent of gross revenue from the sale of personal data.

What Are the Risks of Not Protecting Consumer Data?

The risks are many. 

First, leaving consumer data unprotected makes your organization a tempting target for cyber thieves. They might gain access to your systems and cause all manner of disruption to your business processes, while also absconding with your customers’ personal data. Repairing that disruption will take time and money.

Second, ignoring consumer privacy laws leaves your business exposed to regulatory enforcement and civil lawsuits. The regulators might impose monetary penalties or require costly corrective action plans — and that will all come after a lengthy investigation, which will also cost your business time and money. Victims of data breaches at your business might also sue your business in court (for example, as permitted under California’s law).

Third, a data breach can lead to uncomfortable headlines in the press and alienate customers or other business partners. That more tarnished reputation might translate into lower revenues from sales prospects who suddenly disappear, or more costs from prospective business partners that want more assurance that your business now takes privacy duties seriously.

What Are the Penalties for Violating the CDPA? 

The CDPA empowers Virginia’s attorney general to enforce the law with potential fines of $7,500 per violation. That said, some gray areas remain around what circumstances qualify for a penalty, as the law is new and still being developed.

How Can I Find Out the Local Data Protection Laws in my State?

Check out for a comparison of state laws and regulations regarding data privacy.

How ZenGRC Can Help to Manage CDPA Compliance

Understanding how to protect personal data adequately is a challenge. This is especially true in the United States, where privacy is governed by a patchwork of state and federal laws. It is still your organization’s duty to comply with them all. 

Leaders in compliance-heavy industries rely on ZenGRC to help them keep pace with the changing laws and regulations, and assure their compliance stance remains strong. 

ZenGRC is a governance, risk management, and compliance platform that can help you to gather your compliance documentation, understand where your gaps are, and automate your management workflows. 

ZenGRC’s functionality can help you to implement self-audits, while our easy-to-use dashboard provides an integrated view of your compliance stance, across all relevant frameworks, showing you where your gaps are and how to fill them.

Worry-free compliance is the Zen way! Get your free consultation today.