• Henry Park

Virginia's Consumer Data Protection Act


Now that Virginia has its own comprehensive data protection law, to whom does it apply and what does it cover?


The CDPA applies to "persons that conduct business in Virginia or produce products or services that are targeted to" Virginia residents and that either:

a. Control or process the personal data of at least 100,000 consumers during a calendar year, or

b. Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.


See Section 59.1-572(A)


What is consumer personal data?


"Consumer" is defined as "a natural person who is a resident of the Commonwealth acting only in an individual or household context" (see Section 59.1-571). This means that the CDPA explicitly omits a person from its definition where they are acting in a commercial or employment context.


Personal data is defined as "any information that is linked or reasonably linkable to an identified or identifiable natural person," and an "identified or identifiable natural person” is “a person who can be readily identified, directly or indirectly” (see Section 59.1-571).


Thus, the definition of personal data excludes employee data, business-to-business data, de-identified data, and publicly available information. Publicly available information includes "information that is lawfully made available through federal, state, or local government records” and "information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience" (see Section 59.1-571).


The CDPA excludes types of information


Additionally, if data is covered by other existing privacy laws, then there are exemptions (see Section 59.1-572(C)). Such as for information regulated by the GLBA, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Farm Credit Act, and the Family Educational Rights and Privacy Act. Additional exempted types of information include specific employee and job applicant data.


The CDPA also excludes five classes of entities:


1. A body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision.

2. Any financial institution or data subject to the Gramm-Leach-Bliley Act.

3. A covered entity or business subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.

4. A nonprofit organization.

5. An institution of higher education.


See Section 59.1-572(B).


Image from wikimedia.org.