Gov. Ralph Northam signed the Customer Data Protection Act (CDPA) into law on Tuesday, making Virginia the second state in the nation to pass a comprehensive privacy regulation after California.
In a statement, David Marsden, the state senator who originally introduced the bill, called the move “a huge step forward.”
Not everyone agrees. The Electronic Frontier Foundation, a civil rights and privacy advocacy group, didn’t think the CDPA went far enough when it was still a bill and encouraged citizens to write to Northam and tell him so.
But Northam, who had previously expressed support for the bill and was expected to sign, clearly wasn’t swayed.
The CDPA will go into effect on Jan. 1 2023, which also happens to be the same day that the California Privacy Rights Act or CPRA is set to take effect. CPRA is a data privacy bill that passed as a ballot measure in November and serves as an amendment that bolsters the California Consumer Privacy Act (CCPA).
Virginia’s new data privacy law applies to anyone that conducts business in the state or that has products or services targeted at Virginia residents. It also includes businesses that process the personal data of 100,000 or more Virginia consumers annually, make 50% or more of their gross revenue from the sale of personal data and/or process the personal data of 25,000 or more Virginia residents annually.
There is no revenue threshold for applicability under CDPA like there is under CCPA, which covers businesses that have gross annual revenue of $25 million or more.
One aspect of CDPA that’s particularly interesting is that it’s an opt-in law, which means that a business needs to get clear, specific and informed consent before it can process someone’s personal data.
That language is reminiscent of the EU’s General Data Protection Regulation and sets a higher standard than the CCPA, which takes an opt out approach.
Also more like GDPR than CCPA, CDPA grants Virginia residents a bunch of new rights, including the right to request and receive personal data about themselves in an easy-to-understand, portable format; to correct inaccurate information about themselves; to delete personal data about themselves; and to opt out of the processing of their personal data at any time for targeted advertising or any kind of profiling.
By comparison, the CCPA only provides a right to know and a right to delete.
Also unlike CCPA, Virginia’s law does not include a private right of action, meaning that Virginia’s attorney general will be the sole enforcement authority of the law.
So, who’s next after Virginia? Take your pick.
More than 15 states have either introduced a data privacy and consumer protection bill or currently have one in committee, including Alabama, Florida, Illinois, Iowa, Kentucky, Minnesota, Mississippi, Nebraska, New Mexico, New York, North Dakota, Oklahoma, Pennsylvania, South Carolina, Utah, Washington state and Wisconsin.