[co-author: Gabriella Manduca] On March 2, 2021, Virginia Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act (CDPA), making Virginia the second state after California to enact comprehensive privacy legislation. The CDPA will become effective on January 1, 2023, the same day the California Privacy Rights Act (CPRA) comes into effect, replacing the current California Consumer Privacy Act (CCPA), which went into effect in 2020. The new Virginia law draws on concepts from the European Union’s General Data Protection Regulation (GDPR) (such as the use of “controllers” and “processors”) and from California’s laws (such as the rights of consumers). The net result will be a more complicated privacy compliance environment for companies that will be further exacerbated if additional states enact their own “similar but different” approaches to privacy law. Which Businesses Are Covered? The CDPA applies to entities that conduct business in Virginia and those that conduct business outside of Virginia but offer products or services to Virginia residents if they: control or process the personal data of at least 100,000 consumers during a calendar year, or control or process the personal data of at least 25,000 consumers and derive at least 50% of their […]
