What you need to know about the Consumer Data Protection Act

Chris Arrendale

5 minute read

Jan. 1, 2023 – Put this date in your calendar and circle it in red. It’s the day the second major state law governing consumer data privacy and security goes into effect, and it will likely affect your company’s operations.

I’m talking about Virginia’s Consumer Data Protection Act – commonly referred to by its acronym CDPA, which sounds like two other major data laws, the CCPA (the California Consumer Privacy Act), and GDPR, the European Union’s General Data Protection Regulation

If your company revamped its data policies to comply with GDPR, CCPA or both, you’re probably in a good position to comply with CDPA. If not, you now have 8.6 million more reasons (that’s Virginia’s estimated population as of 2020) to get your data processes, procedures and policies in order.  Like CCPA and GDPR, Virginia’s CDPA has many implications for marketers. 

In this post, I’ll present a general introduction to CDPA, how it compares with CCPA and GDPR, and what you need to do now to comply with these laws. Disclaimer: I will review these laws at a high level and am not offering legal advice. Please consult your legal team or attorneys who specialize in data security and compliance.

CDPA scope, provisions and penalties – 

CDPA requires companies to get a consumer’s explicit opt-in to collect or process personal data and then regulates the collection, use, processing, storage and security of that data. 

However, that doesn’t apply to email marketing, where CAN-SPAM’s requirement of a working opt-out remains the legal requirement.

CDPA focuses on how companies collect, use, protect, share and manage consumer data, making specific provisions for sensitive data like personally identifiable information.

Key points to consider –

1. Who must comply?

  • Any for-profit business doing business in Virginia that controls, processes, uses or sells the sensitive or private data of at least 100,000 Virginia residents. 


  • Any for-profit business that controls the data of 25,000 or more Virginia consumers in a single business year and earns at least 50% of its revenue from using consumers’ personal information.

2. What is “sensitive data?”

It includes these categories: 

  • Racial or ethnic background 
  • Religious beliefs or affiliation 
  • Health information, including mental health status 
  • Citizenship or immigration status
  • Personal financial data 
  • Genetic or biometric data (fingerprints and face/voice recognition)
  • Geolocation

3. How does CDPA impact existing federal laws?

CDPA doesn’t displace the numerous federal laws that already regulate sensitive and personal data collection, use, storage and management, including these:  

  • HIPAA (the Health Insurance Portability and Accountability Act)
  • FERPA (the Family Educational Rights and Privacy Act) 
  • COPPA (the Children’s Online Privacy Protection Act)
  • FCRA (the Fair Credit Reporting Act)

4. What are the penalties for violating the law?

The Virginia Office of the Attorney General is the leading prosecutorial office for investigating CDPA complaints. Only the Attorney General’s office can file complaints or take other actions.

Once a company has received an official complaint, it has 30 days to respond and correct problems. If the company doesn’t comply and is found to have violated the law, the penalty is $7,500 per violation.

5. What are a consumer’s rights under CDPA?

Virginia residents (living in the state or maintaining resident status but living out of state) have these rights under the law:

  • Opt out of data processing for targeted advertising or profiling
  • Request access to their data
  • Correct errors in their data
  • Delete their personal data
  • Get copies of their data in a format they can use without paying for software applications to read or access it
  • Suffer no discrimination from companies for opting out of data collection

6. I don’t know how much of my data covers Virginia residents. What should I do?

Review your data now for geolocation, such as the IP address location your customers use when they browse your website or open and click on emails. Can you map that back to individuals?  

If not, be conservative. Assume everyone in your list is from Virginia. Also, do what you can to identify location, whether by reviewing IP addresses, asking for location wherever you collect data.

7. How does CDPA compare with CCPA and GDPR?

CDPA borrows from both CCPA and GDPR, but its explicit opt-in for collecting and managing data comes directly from the EU law. Here are some other relevant comparisons:

  • Narrower compliance: CDPA interprets compliance more narrowly than CCPA. It requires that companies meet thresholds on both the number of Virginia residents they affect and the percentage of revenue attributed to selling their data. CDPA also limits data sales to those where money changes hands. CCPA includes monetary and other considerations.
  • Opt-in versus opt-out: Like GDPR, CDPA requires companies to get an informed, active consent (no checked boxes or passive permission) to collect sensitive data. CCPA allows consumers to opt out of selling personal data. 
  • “Public information” definition differs: Both CCPA and CDPA exempt “publicly available information” but the two laws define it differently. CCPA’s interpretation is stricter, meaning the information has to have been obtained  legally from government records and excludes data collected without the owner’s consent. CDPA interprets the term more broadly to include any information made public, as long as it was exposed legally.

What do I do now?

From a data-management perspective, 2023 is not that far away. These should be among your first steps:

Review Trendline’s guidance for CCPA compliance: Bookmark and share Trendline’s 10-step checklist for complying with CCPA. This incredibly valuable checklist suggests several organizational changes, such as creating a cross-department steering committee that includes representatives from every department that touches consumer or customer data. 

Reach out to data teams: It’s in your best interest to build and maintain good relations with your IT and data groups, as well as the companies that store and process your data. 

As a marketer, you are focused on collecting and using your data for email, search, SEO and other applications. But if that data gets breached, your company could be in an even bigger world of trouble if it happens after CDPA goes into effect.  Keep in mind that the $7,500 penalty is per violation, so depending on how many Virginians are in your database you could have quite the predicament on your hands.

Follow these four good data practices:

  • Don’t collect data you don’t need. Especially on first contact, collect only what you need to begin the customer relationship. You can use progressive profiling to ask for more data as the need arises. 
  • Don’t share or sell data without permission. Also, review your third-party contracts that govern data processing and security protocols. If you do sell data, know where it will go.
  • Store the data securely. Use storage services that comply with the strictest security protocols. Also, audit your data practices. Limit access only to those people who have a business reason to use it and review your in-house security procedures.
  • Delete the data when you don’t need it anymore. Data laws like CDPA, CCPA and GDPR are direct responses to data breaches. Data breaches happen when we don’t handle, share, sell, store or secure it properly. Collecting unnecessary data and keeping it around when you don’t need it just increases your exposure to a breach. 

Beside causing personal damage, a breach can erode trust and equity in your brand. Some big brands, like Target, can survive a data breach. Smaller ones are far more vulnerable.

What’s next after Consumer Data Protection Act (CDPA)?

California and Virginia are in the headlines because they are the first states to enact sweeping consumer data protection laws. But they won’t be the last. At least 15 states have legislation in various stages.

You can track this legislation with an interactive map maintained by IAPP (the International Association of Privacy Professionals). The map lists legislation status in a color-coded map of all 50 states and includes side-by-side comparisons and state-by-state status updates. 

As more states focus on consumer data protection laws, the need for a national standard is becoming ever clearer. Proposed state bills have many different, and sometimes competing, variations, which makes compliance a headache for national or international companies. 

A federal law that would set national standards is in the works. Congressional Democrats and Republicans have drafted initial bills, but action on the bill isn’t expected until later in 2022 or in 2023 given other legislative priorities.

Trendline can help!

If you need guidance, feel free to contact Trendline compliance experts. Although we don’t offer legal advice, we have worked with numerous clients in training and advocacy for years and are very involved in industry privacy and security organizations. We would love to help you be sure you are charting the right course to safeguard your customers’ data and retain their trust and loyalty. 




Trendline Interactive

Ready to send better messages?

About the Author(s)

Chris Arrendale

Founder of Inbox Pros (acquired by Trendline in July of 2018). Author of Deliverability Inferno. Certified expert and frequent speaker on the topics of data privacy, deliverability and compliance. BA in Poli-Sci/Soc from Emory, MS in Software Engineering & IT from Southern Polytechnic State University. A shoe and wine collection that’s the envy of pro athletes. Follow Chris on LinkedIn

Let's Take This to the Inbox

Sign up for our news, resources and updates. The inbox is our favorite place after all. We’ll make sure it’s worth it. (You can unsubscribe at any time, but you probably already knew that.)