Virginia Consumer Data Protection Act (S.B. 1392): What You Need to Know

Virginia has become the first state to enact a data protection law in 2021. The Virginia Consumer Data Protection Act (S.B. 1392) combines many of the compliance obligations mandated by the California Consumer Privacy Act and the data processing principles put forth by the General Data Protection Regulation. The law becomes effective January 1, 2023.

Below are high-level details about the CDPA. Please contact our firm to determine whether your organization must comply with the CDPA, and, if so, the specifics regarding such compliance.

The law applies to your company if:

  • you conduct business in the Commonwealth of Virginia
    or
  • produce products or services targeted to residents of the Commonwealth
    and
  • you control or process personal data of at least 100,000 consumers during a calendar year or
  • control or process personal data of at least 25,000 consumers and derive over fifty percent of your gross revenue from the sale of personal data.

You must provide consumers the following rights:

  • To know if you process their personal data
  • To access their personal data
  • To request correction of inaccuracies in their personal data
  • To deletion of their personal data
  • To data portability
  • To opt out of targeted advertising, sale or profiling

Data Processing Principles:

  • Data minimization
  • Purpose limitation
  • Integrity and confidentiality
  • Non-discrimination
  • Limit on processing sensitive data
  • The right to opt out of targeted advertising, sale or profiling

Other Obligations

  • Provision of a privacy notice
  • Contracts with processors
  • Data Protection Assessments