The state is the second in the nation to enact a consumer data protection law along the lines of the EU’s GDPR. Here’s what businesses need to know about Virginia’s CDPA.

On March 2, Virginia’s Democratic Governor Ralph Northam signed into law the nation’s second major piece of state legislation that governs consumer data privacy and protection. Virginia’s Consumer Data Protection Act (CDPA) follows the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. In a referendum last fall, California citizens voted to amend the CCPA by approving the California Privacy Rights and Enforcement Act (CPRA), which will mostly go into effect on January 1, 2023.

All three laws follow the European Union’s landmark data protection law, the General Data Protection Regulation (GDPR), implemented on May 25, 2018. Although the CCPA, CPRA and CDPA borrow heavily from the GDPR, each data privacy vehicle contains provisions that vary from the other laws.

Virginia’s CDPA, also set to go into effect January 2023, spells out a complex framework for how businesses or “persons conducting business in the Commonwealth” control or process data. The bill’s provisions apply only to businesses that control or process personal information of at least 100,000 consumers, defined as Virginia residents, or companies that control or process the data of at least 25,000 Virginia residents that also derive 50% or more of their gross revenue from the sale of personal data.

The legislation spells out that some organizations and data are exempt from the bill’s requirements. Among the exemptions in the CDPA are state and local governments, non-profit organizations, and higher education institutions. Information subject to the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), and personal data processed in employment contexts are also exempt. The bill further exempts institutions subject to the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Spiske on Unsplash