News & Insights

The New Virginia Consumer Data Protection Act – What Does It Mean for My Firm?


On March 2, 2021, Virginia governor Ralph Northam signed into law the Consumer Data Privacy Act (CDPA), which will take effect in 2023. The CDPA is similar to an existing data privacy law, the California Consumer Privacy Act (CCPA), in that it will give consumers the right to:

  • Access their data.
  • Obtain a copy of their data.
  • Correct mistakes in their information.
  • Request that their information be deleted.
  • Opt-out of their information being collected.

One key difference between the two regulations is that, under Virginia’s CDPA, individuals do not have a right to private action for a data breach like they do in California.


The CDPA applies to individuals and firms that:

  1. Conduct business with or target the sale of goods or services at Virginians; and
  2. Process the data of at least 25,000 people annually when:
    1. More than half of the business’s revenue is gained by selling personal data; or
    2. Process the personal data of at least 100,000 people annually.

Unlike California, Virginia does not have specific revenue-related requirements for determining which businesses are subject to these regulations, the CDPA applies regardless of revenue.


Certain regulated financial service entities, among others, are exempt from Virginia’s new data privacy regulation.

Also exempt from the CDPA is data already controlled by other regulations like the GLBA, the Gramm-Leach-Bliley Act. The GLBA, enacted in 1999, created obligations for financial institutions to protect consumer financial privacy, and safeguard non-public information. There are three main provisions of the GLBA:

  1. The Privacy Rule: requiring covered entities to provide privacy notices explaining what the entity does with consumer data as well as the consumer’s right to “opt-out.”
  2. Safeguards Rule: requiring covered entities to protect consumer information.
  3. Pretexting Provisions: prohibiting obtaining customer information by false pretenses.

If your business already is subject to the GLBA, then Virginia’s CDPA will not apply to you.


If your business meets the above requirements and does not qualify for an exemption, you should begin preparations for CDPA compliance. Virginia’s new law will go into effect on Jan. 1, 2023, giving businesses nearly two years to either modify operations to avoid being subject to these rules or to update policies and procedures according to regulations.

Regardless of CDPA status, your firm’s privacy policies should be reviewed and updated regularly to ensure compliance with any applicable laws and regulations. Because it can be difficult to keep up with new requirements, Fairview Cyber is available to help you determine which laws your business is subject to and then update your policies and procedures appropriately. Contact Fairview Cyber today if you have questions about CDPA, GLBA, or other data privacy laws and to start the conversation about what we can do for your business.