VA Becomes Second State to Enact Comprehensive Privacy Law

A look at Virginia's Consumer Data Protection Act

Yesterday, Governor Ralph Northam of Virginia signed the Consumer Data Protection Act (CDPA) into law, making it the second state to enact comprehensive privacy legislation in the U.S. The law will take effect on January 1, 2023, and now provides lawmakers with an alternative model to the California Consumer Privacy Act (CCPA) currently in place and the California Privacy Rights Act (CPRA) that will go into effect the same day as CDPA.

The new law provides Virginia residents with rights to access, correct, and delete the personal information businesses have about them, as well as the right to opt out of certain data processing practices such as online targeted advertising. The CDPA borrows from Europe’s General Data Protection Regulation (GDPR) by establishing a comprehensive framework designating businesses as either data controllers and processors and creating requirements around data minimization, processing limitations, data security, non-discrimination, third-party contracting, and conducting data protection assessments. Notably, the CDPA does not contain a private right of action and instead provides exclusive enforcement authority to the Virginia Attorney General. It also provides a 30-day “notice and cure” provision to allow businesses in violation of the law to come into compliance before any fines or penalties are levied.

The Virginia legislature’s streamlined process provides a new playbook for other states to follow and enact their own privacy laws such as Washington, New York, and Florida. With more than ten states already having introduced bills this year, Congress could face even more pressure to advance federal privacy legislation to preempt a growing patchwork of state laws. Many proposals have been introduced at the federal level, but have failed to move ahead due to partisan divisions and policy disagreements. RILA and other industry stakeholders’ main objective is to enact a national framework establishing a single set of rules that provide strong protections for consumers and accountability for all businesses within the digital ecosystem.

If you have any questions, please contact Brennan Duckett, director of government affairs.
  • Privacy
  • Ensuring a Safe, Sustainable Future
  • Supporting Free Markets and Fostering Innovation
  • Public Policy
  • Retail Works for All of Us

Stay in the know

Subscribe to our newsletter