New privacy bill sent to Virginia governor for signature into law

Date published





Updated March 4, 2021. On March 3, 2021, SB 1392/HB 2307, the Consumer Data Protection Act (CDPA), was signed into law, establishing a framework for processing personal data in Virginia. Virginia becomes the second state to enact privacy legislation, providing residents with data access, portability, and deletion rights. The CDPA also employs GDPR concepts of controllers and processors. Here is a brief breakdown of the legislation:

  • Applies to all persons conducting business in Virginia that (i) controls or processes personal data of at least 100,000 consumers, or (ii) derives greater than 50% of its gross revenue from the sale of personal data while also controlling or processing the personal data of at least 25,000 consumers. The “sale of personal data" means an “exchange of personal data for monetary consideration by the controller to a third party.” 
  • Establishes responsibilities and privacy protection standards for data controllers and processors, with certain exceptions.
  • Grants consumers rights of access, accuracy, deletion, data portability, and allows consumers to opt-out of the processing of personal data for purposes of targeted advertising.
  • Specifically, for the opt-out right, consumers (i.e., Virginia residents) may opt-out of the collection of their data “the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
  • Requires a “reasonably accessible, clear, and meaningful privacy notice that includes: (1) The categories of personal data processed by the controller; (2) The purpose for processing personal data; (3) How consumers may exercise their consumer rights pursuant § 1-573, including how a consumer may appeal a controller's decision with regard to the consumer's request; (4) The categories of personal data that the controller shares with third parties, if any; and (5) The categories of third parties, if any, with whom the controller shares personal data.”
  • Sets forth certain data security requirements, including roles and responsibilities of data “controllers” and data “processors,” concepts employed under GDPR and other non-U.S. privacy laws.
  • The Attorney General has exclusive authority to enforce violations of the law. There is no private cause of action.
  • The bill has an effective date of January 1, 2023.


The bill defines a “consumer” as a “natural person who is a resident of the Commonwealth acting only in an individual or household context,” but excludes commercial or employment activities.

The bill defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but does not include de-identified data or publicly available information. It has a separate designation for “sensitive data,” which means personal data “revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status”; the “processing of genetic or biometric data for the purpose of uniquely identifying a natural person”; “personal data collected from a known child”; and “precise geolocation data.”

The bill would not apply to Virginia governmental agencies; organizations governed by GLBA, HIPAA, the HITECH Act; or to nonprofit organizations or institutions of higher education.

We will provide more information.