Overview of the Virginia Consumer Data Protection Act

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Overview of the Virginia Consumer Data Protection Act

New Consumer Data Privacy Requirements for Virginia Businesses

During the 2021 General Assembly session, Virginia passed the Consumer Data Protection Act (CDPA), joining California with establishing comprehensive data privacy rules. The CDPA, which takes effect on January 1, 2023, creates a set of requirements that companies must follow when collecting and using Virginia residents’ personal information.


The CDPA applies to companies that conduct business in Virginia and either:

  • Control or process personal data of at least 100,000 Virginia residents, or
  • Derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents.

The Act does not apply to state or local governmental agencies and includes exceptions for certain types of data and information governed by federal law such as GLBA, HIPAA, and HITECH.

Consumer Data Privacy Rights for Virginia Residents

Virginia residents have certain data privacy rights that companies (as defined in the Applicability section above) must comply. Virginia residents can:

  • Determine if a company is processing their personal data.
  • Require a company to correct inaccuracies in their personal data.
  • Require a company to delete their personal data.
  • Obtain a copy of their personal data that was previously provided to the company.
  • Opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling.

Consumer Data Privacy Responsibilities for Virginia Businesses

Under the Act, companies are responsible for performing the following:

  • Responding to Virginia residents’ personal data requests within 45 days of receipt of the request.
  • Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.
  • Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Providing consumers with a reasonably accessible, clear, and meaningful privacy notice.
  • Disclosing to the consumer and allowing them to opt out if it sells personal data to third parties or processes personal data for targeted advertising.

Use of Third-Party Service Providers

If a company provides personal data to a third-party service provider, the service provider must adhere to the instructions of the company, as detailed in their contract, and assist it in meeting its obligations under the Act, to include:

  • Responding to consumer rights requests.
  • Securely processing personal data and complying with security breach notification requirements.
  • Providing necessary information to enable the companies to conduct and document data protection assessments.

Data Protection Assessments

The company is required to conduct and document a data protection assessment for each of the following processing activities involving personal data:

  • Processing of personal data for purposes of targeted advertising.
  • Sale of personal data.
  • Processing of personal data for purposes of profiling.
  • Processing of sensitive data.
  • Processing activities involving personal data that present a heightened risk of harm to consumers.

The data protection assessments will the assess the risks of having the data and the safeguarding activities that are needed to reduce those risk such as the use of de-identified data.

If the company already performs data protection assessments for compliance with other laws or regulations that are comparable to the CPDA requirements, the Act allows for the company to utilize those assessments. Additionally, the data protection assessment requirements do not go into effect until January 1, 2023 – they are not retroactive.

Virginia Consumer Data Protection Act Violations

The state of Virginia has the exclusive authority to enforce violations. The state could impose damages to companies and/or third-party service providers up to $7,500 for each violation.

Next Steps to Becoming Compliant with the Virginia Consumer Data Protection Act

While the Act is not effective until January 2023, companies need to begin the process of getting ready to comply with the Act requirements. The steps that a company should take include:

  • Determining if the company obtains enough Virginia resident personal information that requires it to comply with the Act.
  • The company needs to determine what personal data is obtained, what data is needed, where is the data stored, and who has access to the data. The company then needs to implement a cost-effective strategy to adequately protect the data, which could include reducing the personal data obtained to only the data needed, limiting where the data is stored, and segregating the data and limiting who has access to it.
  • Implementing company-wide procedures that will allow it to comply with the Act. While the Information Technology group will have a significant role in protecting the personal data, the company will need to look at how all departments, such as Sales, Marketing, Operations, and Finance intake, store, use, and distribute personal data.
  • If third parties are used and have access to Virginia resident personal data, the company needs to review the contracts with the third parties to determine if the terms allow for compliance with the Act. If the terms are not sufficient, the company needs to renegotiate the terms with the third party that allow for compliance with the Act.
  • Performing a data protection assessment. The data protection assessment should detail the risks, risk severity based on the likelihood/impact of occurrence, and the controls in place to mitigate the risks. Through this evaluation, the company will identify gaps that need to be remediated to adequately protect the personal data

If your business has offices or clients outside of Virginia, it’s important to stay up to date on changing privacy laws in the states where your operate. As of now, other states to watch closely for potential privacy laws this year are Colorado, Connecticut, Florida, New York, Minnesota, Oklahoma, Ohio and Washington.

Although the Act does not go into effect until January 2023, you can build trust with your clients by complying with the requirements in advance and providing transparent communication to your clients on how their data is used.

Questions on this or other data security topics? Contact your Opportunity Advisor or Email | Call: 804.747.0000. We are here to help.

Re-Evaluating Internal Controls in a Remote Environment

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us