Earlier this month, the state of Virginia signed the Virginia Consumer Data Protection Act (CDPA) into law, making it the second U.S. state after California to enact a comprehensive state privacy law. Advocates of the law include retail giant Amazon.  
 

The CDPA has been compared to California’s CCPA, which is considered the most stringent consumer data protection law in the U.S.   
 

Who will the law affect? 
 

The law will affect certain businesses operating in Virginia, specifically: 
 

An organization that conducts business in Virginia or offers products or services to Virginia consumers, and (2) meet one of the following requirements: 

• During a calendar year, controls or processes the personal data of at least 100,000 consumers; or 

• Controls or processes the personal data of at least 25,000 consumers and earns over 50% of gross revenue from the sale of personal data. (Source: National Law Review) 
   
  

Once the CDPA is in effect, Virginia residents will have the right to access, rectify, delete, ask for, and opt-out of the sale and processing of their personal information. 
 

The following entities are exempt from the CDPA: 

• Virginia public entities

• GLBA-covered financial companies

• HIPAA-covered entities

• Non-profit organizations

• Tertiary education institutions 

 
Certain types of data have also been exempted from the law including employer data, private health information (PHI), and data regulated by HIPAA and FERPA. 
  

The CDPA will be enforced by the Virginia Attorney General. Unlike the CCPA, under the provisions of the CDPA, private citizens do not have the right to action lawsuits against companies who infringe on their rights. 
 

Data Protection becomes mandatory 
 

As with the GDPR, the CDPA requires businesses to "establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data." 
 

This means that businesses will need to take adequate measures to ensure their sensitive data is protected, including implementing data protection methods such as data masking, which ‘masks’ sensitive data with safe, replacement data that cannot be used to identify an individual.  
 

Data protection assessments are also mandatory under the law. 
 

The CDPA comes into effect on 1 January 2023 (the same day the California Privacy Rights Act (CPRA) comes into effect.) 
 

Make sure your private data stays protected by implementing sound data protection methods like Hush-Hush data masking, which integrates with the tools your developers are already familiar with and scales according to the needs of your business. 
 

Request a free demo or trial today.