Client Alerts

Virginia Passes New Consumer Data Protection Act

By: Frances Floriano Goins

About: Cybersecurity & Privacy

March 8, 2021 – In what might prove to be a growing trend, on March 2, 2021, the Governor of Virginia signed into law the comprehensive Consumer Data Protection Act (CDPA), making Virginia the most recent state to enact such a law after California and the more limited Maine Act to Protect the Privacy of Online Customer Information and Nevada Senate Bill 220. The CDPA will become fully effective on January 1, 2023.

The CDPA adopts aspects of the European Union’s General Data Protection Regulation (GDPR), and California’s Consumer Privacy Act (CCPA) and Consumer Privacy Rights Act (CPRA). The CDPA applies to businesses that collect or process large amounts of consumer data and either do business in Virginia or target Virginia residents, but excludes coverage of financial institutions subject to the Gramm-Leach-Bliley Act and entities subject to the Health Insurance Portability and Accountability Act. Unlike the CCPA, the CDPA does not apply to employee data or business-to-business data collections.

Under the new law, Virginia consumers will have new rights to access, correct, delete, and obtain copies of their personal data from covered businesses and, significantly, to opt out of having their personal data used for targeted advertising. The new law also creates various responsibilities for companies that collect (controllers) and process (processors) consumers’ personal data to ensure security and privacy. Controllers have additional duties to:

Processors’ duties are generally set out in their DPAs with controllers.

While the CDPA does not provide a private right of action for consumers, the Virginia Attorney General is expected to vigorously investigate and enforce violations of the new law, and, where appropriate, seek penalties against violators of up to $7,500 per violation for failure to cure within 30 days of notice.

There is still time for businesses to assess whether they may be subject to the CDPA as well as prior states’ comprehensive privacy laws. Virginia’s new law may be the catalyst that pushes Congress to enact a preemptive federal consumer data privacy law, but in the meantime it is clear that other states are in the process of enacting their own data privacy laws.  While it is challenging for businesses to comply with the patchwork of states’ data privacy laws, it is critical to do so to minimize or avoid costly investigations and penalties.

Ulmer’s Cybersecurity & Privacy Practice Group stays ahead of developing laws like the CDPA and can help make sure that you comply with these and other potentially applicable privacy requirements. If you have any additional questions, please reach out to our experienced data privacy attorneys.

The information provided in this client alert speaks only to the information and guidance we have available as of the date of publication and is subject to change. We will continue to follow further issued guidance and regulations and endeavor to post those updates via our website. Please continue to follow these updates at This legal update was created by Ulmer & Berne LLP, and is not intended as a substitute for professional legal advice. Receipt of this client alert, by itself, does not create an attorney client relationship. For any questions, or for further information, please contact Frances Floriano Goins at