Request a Demo

How Your Business Can Prepare for Virginia’s CDPA

Virginia’s Consumer Data Protection Act (CDPA) will also go into effect starting January 1, 2023. While it borrows heavily from California’s CPRA, we unpack the unique provisions your business needs to consider for privacy compliance in the Commonwealth.

This is the second article in Ethyca’s state privacy law series that will help your business prepare for the new state regulations coming into force in 2023. The next law we will unpack is Virginia’s Consumer Data Protection Act (CDPA, also called VCDPA). Like California’s CPRA, this law will go into effect on January 1, 2023.

Let’s take a closer look at the requirements of CDPA, and go over how your company can start preparing for compliance in the next couple of months. 

Does CDPA Apply to Your Business?

Before overhauling your business’s current privacy program, determine whether your business even needs to worry about the privacy law in Virginia.

The Consumer Data Protection Act will apply to your business if it:

  • Conducts business within Virginia, or targets products and services to Virginia residents.
  • Controls or processes the personal data of at least 100,000 consumers, or the personal data of at least 25,000 consumers and 50% of revenue comes from selling such data.

Based on these conditions, CDPA only applies to businesses that hold large quantities of consumer data. It’s less likely to apply to B2B businesses, and it does not apply to businesses that hold little personal data.

For companies that must comply with Virginia’s state privacy law, we’ll go over how you can start preparing for the new year.

What’s Included in Virginia’s Consumer Data Protection Act? 

Virginia’s Consumer Data Protection Act is the U.S.’s second state-level comprehensive modern consumer data privacy law. CDPA passed on March 2, 2021, and borrows heavily from the California Consumer Privacy Act (CCPA) – before the CPRA amendments were voted in.

As we mentioned in the first article of this series, preparing for California’s state privacy law will help your business get ready for other state privacy laws like CDPA. But, as our CEO Cillian Kieran has mentioned, it’s not a one-size-fits-all solution. Compliance with one state law does not guarantee compliance with another. 

To make sure your business is CDPA-ready by next year, let’s go over the provisions of Virginia’s state privacy law. 

(We know that privacy acronyms can be confusing, so feel free to bookmark our Data Privacy Acronyms List for your ease of reading).

Right to Correction and Right to Appeal

Along with the rights to access, erasure, portability, and non-discriminatory practices established in CPRA, Virginians will also have the right to correct the information companies have on them, as well as appeal to businesses that have failed to process such requests. 

By next year, consumers can request that businesses edit any incorrect data stored about them. Consumers will also be able to appeal to companies that have not processed their requests within the 45 days mandated under CDPA. 

Right to Opt-Out 

The CDPA also gives Virginians the right to opt out of certain data processing from businesses, such as the selling of their personal data. This provision aims to protect consumers from targeted advertising and user profiling. 

Data Processing Agreements 

Starting next January, businesses will be required to enter into data processing agreements (DPA) with data processors. These agreements will govern what data processors are allowed to do and not allowed to do with consumers’ data.

Based on CDPA’s standards, these agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”

Data Protection Impact Assessments 

CDPA will also require businesses to produce Data Protection Impact Assessments (DPIAs). These are assessments that analyze the privacy benefits and risks of processing activities on the business itself, consumers, and other related stakeholders. 

Your company must produce and document a DPIA for data processing activities involving:

  • Targeted advertising.
  • Selling personal data.
  • Processing personal data for profiling.
  • Processing sensitive data.
  • Processing activities that could add further risk or harm consumers.

This provision means your business needs to know not only where data lies in its systems, but also how and why it’s there. Not having a specific reason for collecting and keeping data will make your company more vulnerable to privacy violations. 

To ensure your business stays compliant with CDPA, make sure you’re collecting and processing data in ways that respect consumers’ rights.

How Ethyca Can Help Your Business Comply With CDPA

Whether it’s Virginia’s or California’s state privacy law, Ethyca can empower your business to succeed in regulatory compliance.

First, Ethyca will be making a series of updates to the Consent Management experience to make sure your company complies with the new 2023 regulations. These updates will allow your business to classify your collected data under multiple data categories. With Ethyca’s Consent Management Platform, consumers will also have control over opting in or out of data processing activities. Additionally, your company will be able to store users’ consent preferences for reporting and auditing purposes. 

With the Fides privacy engineering platform, your business will also be able to seamlessly orchestrate users’ privacy requests. You’ll also be able to create a dynamic data map, to identify and discover PII living across all systems in your business. This will enable your business to easily fulfill access, erasure, and correction requests from consumers. With full data discovery and visibility across different systems, you’ll be able to automate users’ requests, saving your team time, money, and effort in the new year. Fides’ Privacy as Code power is also a great foundation for building auditable processes around DPIA workflows in your organization.


As both CDPA and CPRA will be enacted on January 1, 2023, your business needs to make sure it prepares for these laws by the start of next year. It can be frustrating for a business to deal with the differences of state by state privacy laws. But these privacy regulations relate to each other in ways that make preparing a little easier. 

Ethyca is also here to help you ensure your business is compliance-ready for any U.S. privacy law in any state.

Ready to get started?

Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!

Request a Demo