CDPA: Preparing for compliance

Morgan Sullivan
January 14th, 2022 · 10 min read

At a glance

  • The Consumer Data Protection Act (CDPA) is Virginia’s new privacy law.

  • To prepare for CDPA, businesses need to determine if they process “sensitive” data, provide consumers with clear options for opt-out and consent, develop an appeals process, and review third-party contracts.

  • CDPA enforcement will begin on January 1, 2023.

Table of contents

What is the CDPA?

How to Prepare for Virginia’s CDPA

Building a Compliant, Scalable Privacy Program

What is the CDPA?

Virginia’s data privacy law establishes a “framework for controlling and processing personal data”–outlining data rights for Virginia residents and obligations for the businesses that fall under the bills scope.

Like other state privacy laws, the CDPA was passed in response to concerns about the collection, storage, and use of personal data.

As revealed by a recent McKinsey survey, these concerns are shared by a majority of consumers:

87% of respondents stated they would not interact with a company if they were concerned about its cybersecurity protocols.

Currently, the CDPA only pertains to select businesses engaging in specific activities.

Scope: Who is subject to the CDPA?

Not all businesses that handle consumer data are subject to CDPA provisions. In short, the CDPA applies to:

  • For-profit organizations that conduct business within Virginia, AND

  • Businesses that target Virginia residents with their services or products

To be subject to CDPA provisions, any organization that falls into either of the above categories must also:

  • Process or control personal data from a minimum of 100,000 Virginia residents each calendar year OR

  • Process the data of 25,000 Virginia residents while deriving at least 50% of gross revenue from selling personal data

Consumer Rights Provided by the CDPA

According to the CDPA, businesses must respond to a consumer’s request to exercise one of their rights within 45 days. Controllers can extend the deadline by 45 days when necessary, but must notify consumers of the extension.

Aside from this guideline, the Virginia Consumer Data Protection Act grants consumers six fundamental rights:

Right to Access

Consumers retain the right to access their data. This provision also affords them the ability to confirm if a controller is processing their personal data or not.

Right to Correct

In addition to accessing their data, the Virginia CDPA grants consumers the right to correct any of their controlled data.

Right to Delete

Consumers have the right to delete their personal data. They can delete this data whether it was provided by them directly or obtained from another entity, such as through a lead purchasing platform.

Right to Data Portability

The CDPA grants consumers the right to receive a copy of their personal data. Controllers must provide the data to the consumer upon request and in an easily transmissible format.

Right to Opt Out

The fifth right outlined by the CDPA gives consumers the ability to opt out of processing their personal data for targeted marketing purposes. This right is one of the few provisions of the CDPA that has no listed exceptions.

Right to Appeal

Organizations must establish an appeals process consumers can use if their data request is denied, or the organization finds themselves unable to fulfill it for any reason. If an appeal is denied, controllers must inform consumers of their right to file a formal complaint with the attorney general. They must also explain how to file that complaint.

Who Enforces the CDPA

The Virginia CDPA is exclusively enforced by the Virginia attorney general. If the office of the attorney general elects to take action against a violator, they must notify the organization’s controller.

The controller must remedy the issue and submit a written notification stating that the violations have been resolved. Failure to comply can result in a fine of up to $7,500 per violation.


The Virginia CDPA has exemptions for specific entities and data types.

Exempted entities include:

  • Virginia state and local governing bodies

  • Organizations subject to the Health Insurance Portability and Accountability Act (HIPPA)

  • Institutions subject to the Gramm-Leach-Bliley Act (GLBA)

  • Non-profits

  • Higher education institutions

Exempted data types include:

  • Employee information: This is a notable divergence between CCPA and CDPA

  • Data already regulated by existing privacy laws (HIPPA, Fair Credit Reporting Act, Farm Credit Act, etc)

  • Personal information about individuals communicated with in a commercial setting i.e. the contact information for person at a company with whom you’re negotiating

How to Prepare for Virginia’s CDPA

Understanding new data privacy regulation, while important, is just part of the equation. Businesses must start actively preparing for the enforcement of these new laws, as non-compliance can come with heavy fines and other civil penalties.

2021 saw significant fines for tech heavy hitters like Amazon and WhatsApp, with new fines levied against Google and Facebook in the early days of 2022.

The Virginia Consumer Data Privacy Act goes into effect on January 1, 2023. Building out effective privacy infrastructure can be complex and time consuming, and the window for action is closing fast. It’s important organizations start preparing now so as not to be exposed to civil liability or financial penalties later.

To prepare for the VCDPA’s January 2023 deadline, affected businesses should consider the following steps:

Determine if your organization processes “sensitive” data

Similar to other privacy regulations (the Colorado Privacy Act and the CPRA), many of the CDPA’s requirements hinge on whether or not a company is processing “sensitive data”.

The definition of sensitive data differs slightly between different regulations, but generally refers to data concerning an individual’s ethnicity, mental health, religion, genetics, or personal identification numbers.

The CDPA defines two data types: personal and sensitive.

Personal data is “any information that is linked or reasonably linkable to an identified or identifiable natural person.”

Sensitive data is defined as:

(1) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

(2) The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;

(3) The personal data collected from a known child; or

(4) Precise geolocation data.

As covered earlier, the CDPA specifically states that any entity processing sensitive data must first retain consumer consent - no exceptions.

To remain compliant with this requirement, organizations must first determine whether or not they process sensitive data. Then, they should determine where and how this data is being collected, and provide a clear path for consumers to consent or opt-out.

Determine whether a data protection impact assessment is necessary

data protection impact assessment entails first determining whether data is being used for “risky” activities, such as user profiling, advertising, or the sale of personal data

If it is, organizations must create a clear, documented structure for weighing the benefits and risks of processing sensitive data.

The VCDPA does not require that companies submit assessments to the Virginia attorney general; however, assessments must be available for evaluation upon request.

Develop a data request appeals process

The CCPA was the first U.S. privacy law to include obligations around an appeals process for data request refusals. In contrast, under the CCPA entities only need to inform consumers of their right to appeal, but are not required to support the process further.

Under the Virginia CDPA, companies are required to establish an internal process for appeals. Not only that, but the CDPA stipulates the appeals process must:

  • Include a mechanism for filing appeals that is easy to find and use

  • Have a fixed time period for the company’s response

  • Provide a way to contact the Virginia Attorney General in the event a company denies an appeal

Provide opt-out for advertising and profiling

With enforcement beginning on January 1, 2023, the CDPA requires that organizations provide a way for consumers to opt out of targeted advertising and other profiling. Implementation of this requirement often comes in the form of consent managers (such as cookie banners), which allow users to determine what, if any, tracking they will allow while on a site.

Review third party contracts

Many organizations share data with their third party vendors, a form of data sharing that does fall under the umbrella of CDPA.

According to the CDPA, all third party contracts must include language around data processing. This language must cover the types of personal data being processed, duties of deletion and return, the nature, purpose, and duration of processing, and more.

Building a robust yet scalable privacy program

With 15 states considering privacy legislation in their 2022 session, Virginia’s new data privacy law is just one among many.

Building a privacy program that’s compliant with CDPA is an important step, but savvy organizations will take this as an opportunity to get ahead and build a privacy program that’s not only robust, but scalable.

Here are a few general recommendations for organizations looking to build privacy programs that support compliance today and scalability tomorrow.

Work to create a program that spans all legislations

Considered in the long-term, it’s clear privacy regulation isn’t going away. With new legislation being passed year after year, and more on the horizon, organizations should consider how to set themselves up for success today, tomorrow, and ten years from now.

Of course, predicting future legislation is difficult, but current legislation and bills under consideration do offer compelling clues as to where this sector is headed.

Consider the rules defined in recent bills and then assume those same obligations will show up, in some form or another, in all future privacy legislation.

For example, Virginia’s CDPA and the Florida Privacy Protection Act (currently under consideration for 2022), have the same provisions around scope. A business must:

  • Process or control personal data from a minimum of 100,000 state residents each calendar year OR

  • Process the data of 25,000 state residents and derive a minimum of 50% of gross revenue from selling personal data

Naturally, there will be exceptions and nuances with each new round of legislation, but legal precedent is powerful and it’s highly likely future privacy bills will share similar scope and structure.

In terms of strategies that work all across the board, data minimization is one all organizations should consider. Data minimization addresses core privacy issues at the source–the less data you have to map, manage, and address, the less opportunities there are to become non-compliant.

Consider your company’s tech stack

Seek out comprehensive privacy solutions that will allow your organization to encode privacy across all data sources and automate manual tasks such as data subject requests, consent, and data mapping.

Automated platforms are more cost-effective than manual workflows or point solutions. Moreover, these technologies can help bridge the divide between legal, IT security, and engineering teams: minimizing complexity and ensuring everyone is on the same page.

Work towards building cross-functional privacy culture

Siloing privacy to a single team or individual is a recipe for poor productivity and wasted resources. Implementing data rights is by nature a cross-functional activity that spans across teams. Investing in proper training and resources, while building the concept of privacy into the fabric of your organization will pay massive dividends as regulation evolves.


Going forward, businesses can expect to encounter more legislation like Virginia’s privacy law. New legislation is sure to originate at the state level, and eventually is likely to come at the Federal level as well.

Navigating the nuances of these legal changes will only get more complex. Savvy businesses will start preparing now by first learning how they’ll be affected by new legislation, and then investing in people, programs, and solutions that ensure comprehensive internal compliance and data rights for consumers.

Additional resources

About Transcend

If your organization has been impacted by the Virginia CDPA or other consumer data laws, Transcend can help you ensure compliance. Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.

Looking to evaluate your current privacy program and discover any hidden costs? Explore our privacy request cost calculator.

More articles from Transcend

Pioneering data privacy across digital analytics with Transcend and Amplitude

As our world becomes more digital, companies track an increasing amount of user behavior to help drive efficiency and provide insights to their teams.

January 5th, 2022 · 1 min read

Better Together: Cross-functional privacy wins and how to replicate them in 2022

Recapping Transcend's end-of-year breakfast with Whitney Merrill of Asana, Nishant Bhajaria of Uber, and Transcend CEO Ben Brook.

December 22nd, 2021 · 6 min read

Privacy XFN

Sign up for Transcend's weekly privacy newsletter.

San Francisco, California Copyright © 2022 Transcend, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Link to $ to $ to $