Following in California's footsteps, Virginia recently passed its own comprehensive consumer data privacy legislation, the Consumer Data Protection Act (CDPA). CDPA introduces a new set of data rights for consumers in Virginia while also creating new obligations for businesses. As the second comprehensive state privacy law in the United States, the CDPAs passage is a significant milestone in the country's privacy regulations.
DEFINING SCOPE AND PERSONAL DATA
CDPA "applies to all persons that conduct business in Virginia and either: control or process personal data of at least 100,000 consumers or derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers."
Unlike the California Consumer Privacy Act (CCPA), CDPA involves no revenue threshold to establish compliance obligation, but it does include a number of significant exemptions. While CCPA only exempts the data that is subject to most existing U.S. sectoral privacy laws, CDPA exempts employee-related data as well as the actual entities that are subject to those sector-specific laws, even if the activity is not within the scope of those regulations. Financial institutions and health care organizations, for example, will likely have no obligation to comply with CDPA.
The law defines "personal data" broadly as any information that is "linked or reasonably linked to an identified or identifiable natural person." Publicly available information and de-identified data--information that "cannot reasonably be linked to an identified or identifiable natural person [or] a device linked to such person"--does not constitute personal data.
CDPA also expands California's definition of...