Reed Smith In-depth

On March 2, 2021, Virginia’s governor, Ralph Northam, signed the Virginia Consumer Data Protection Act (CDPA, or the Act) into law. The CDPA is set to take effect on January 1, 2023, and is the second comprehensive consumer privacy law to be enacted in the United States behind the California Consumer Privacy Act (CCPA), recently amended by the California Privacy Rights Act (CPRA). The CPRA, which is discussed at length on, is also set to take effect on January 1, 2023.

In short, the CDPA works to establish a comprehensive framework for controlling and processing personal data in Virginia, drawing on both the CCPA/CPRA and the European Union’s General Data Protection Regulation (GDPR).

Scope and exemptions

The CDPA applies to all businesses that (i) control or process personal data of at least 100,000 Virginia consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The Act defines the “sale of personal data” as “the exchange of personal data for monetary consideration by the controller to a third party.”1

A “consumer” is defined as “a natural person who is a resident of Virginia acting only in an individual or household context.” Importantly, it does not include a natural person acting in a commercial or employment context, and, therefore, the data subject rights and protections provided will extend only to individual consumers of goods and services.