Governor Ralph Northam has signed the Consumer Data Protection Act (CDPA), making Virginia the second state with a comprehensive privacy law. The CDPA is inspired by both the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation and takes effect Jan. 1, 2023 (the same date as most of the provisions of the California Privacy Rights Act (CPRA)). As we outlined in our analysis of the CDPA, the law grants consumers rights to access, correct, delete and obtain a copy of personal data and to opt out of the sale of personal data, the processing of personal data for the purposes of targeted advertising and profiling (automated decision-making).

In the meantime, Virginia will be busy ironing out all the details “regarding the implementation of this act” through a “work group composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates … to review the provisions of this act and issues related to its implementation.” The “findings, best practices, and recommendations” of this work group are due Nov. 1, 2021.

For additional articles covering state privacy legislation updates, the CCPA, the CPRA or the recent Schrems II decision, including our 2020 year-in-review article, visit BakerHostetler’s Data Counsel blog and our Consumer Privacy Resource Center.