Skip to content

Velotix: A Selected DSP Vendor in the Gartner Guide for Data Security Platforms

Velotix One Book a Demo
Privacy Regulations

Virginia Consumer Data Protection Act (CDPA)

Overview

The Virginia Consumer Data Protection Act (CDPA) is a comprehensive state privacy law that regulates how businesses collect, process, and share personal data of Virginia residents. Enacted in March 2021 and effective January 1, 2023, the CDPA grants consumers new rights over their data and imposes obligations on businesses to improve data security and transparency.

The law is modeled after the EU’s GDPR and California’s CPRA, making Virginia one of the first U.S. states to adopt broad privacy protections.

Who Must Comply?

The CDPA applies to companies that do business in Virginia or target Virginia residents and meet one of the following criteria:

βœ” Process personal data of at least 100,000 consumers per year
 βœ” Process data of at least 25,000 consumers and derive 50%+ of revenue from data sales

Exemptions:

The law does not apply to:
🚫 Government agencies
 🚫 Nonprofits
 🚫 Entities covered under GLBA (financial institutions)
 🚫 HIPAA-regulated entities (healthcare providers)

Key Consumer Rights Under CDPA

βœ” Right to Access – Consumers can request a copy of their personal data.
βœ” Right to Correct – Consumers can request correction of inaccurate personal data.
βœ” Right to Delete – Consumers can ask businesses to delete their data.
βœ” Right to Data Portability – Consumers can obtain their data in a portable format.
βœ” Right to Opt-Out – Consumers can opt out of:

  • Targeted advertising
  • Data sales
  • Certain types of profiling

Business Compliance Requirements

βœ” Conduct Data Protection Assessments (DPA) – Businesses must evaluate data processing risks.
βœ” Obtain Consent for Sensitive Data – Explicit consent is needed for processing sensitive data, such as:
πŸ“Œ Racial/ethnic origin
πŸ“Œ Religious beliefs
πŸ“Œ Health data
πŸ“Œ Biometric data
πŸ“Œ Children’s data
βœ” Privacy Notices – Businesses must publish clear privacy policies about data collection and usage.
βœ” Data Minimization – Companies cannot collect more data than necessary for business purposes.
βœ” Secure Personal Data – Businesses must use reasonable security measures to protect data from breaches.

Real-World Enforcement Cases

Virginia’s Attorney General enforces the CDPA, with penalties up to $7,500 per violation. While no major cases have been reported yet, enforcement is expected to increase in 2025, particularly for adtech companies and data brokers.

πŸ“Œ Comparison with CPRA (California Privacy Rights Act)
 The Virginia CDPA is more business-friendly than California’s CPRA:
βœ… No Private Right of Action – Consumers cannot sue companies directly.
βœ… Stronger Exemptions – More businesses are excluded from compliance.
βœ… Opt-Out Model – Unlike GDPR, businesses don’t need prior consent to collect data (except for sensitive data).

Future of CDPA Regulation

With increased state privacy laws across the U.S., Virginia may introduce:
πŸ“Œ Expanded enforcement powers for the Attorney General
πŸ“Œ Stricter opt-in consent requirements for behavioral advertising
πŸ“Œ More consumer rights for automated decision-makingThe CDPA serves as a model for many upcoming U.S. state privacy laws and is expected to evolve alongside federal privacy initiatives.

Access Granted

LinkedIn Twitter
ISO 27001

NEW GEN AI

Get answers to even the most complex questions about your data and explore the complexities of your data landscape using Generative AI chat.

Find out more