2023: The Year of the CPRA and CDPA - Virginia Joins California in Passing Comprehensive Privacy Legislation

The Year 2023 is shaping up to be the next big year in data privacy. With the enactment of the Consumer Data Protection Act (“CDPA”) on March 2, 2021, Virginia joined California as the second U.S. state to enact comprehensive data privacy rights legislation. Virginia’s CDPA comes on the heels of California’s passage of its California Privacy Rights Act (“CPRA”), which amends the infamous California Consumer Privacy Act (“CCPA”). Both Virginia’s CDPA and California’s CPRA take effect January 1, 2023.

In response to this news, you might first consider whether your business needs to comply.

The Virginia CDPA imposes obligations on entities conducting business in Virginia or producing products or services that are targeted to residents of Virginia and that either:

  • Control or process personal data of at least 100,000 consumers during a calendar year.
  • Control or process personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.[1]

Turning to California, businesses should be aware that the CPRA amends the thresholds in California. Beginning in 2023, for-profit businesses will need to comply with the California CCPA/CPRA if the business collects personal information on California residents and satisfy one of the following:

  • Had more than $25 million in gross revenue for the preceding year.
  • Alone or in combination buys or sells or shares the personal information of 100,000 or more consumers or households.
  • Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.[2]

If the above requirements for either the Virginia CDPA or the California CPRA apply, your business will likely need to implement certain measures to ensure it can comply beginning in 2023. While your approach to compliance will depend on the nature of your business and its data practices, the following are several examples:

  • Implement mechanisms for new consumer data privacy rights requests. Examples include the right to access, correction, deletion, portability, and opt-out. Both the CPRA and CDPA have nuanced approaches to each right.
  • Update your privacy notices. Both the CPRA and CDPA have required disclosures to add to your privacy notice (often referred to as “privacy policies”).
  • Update your vendor contracts. Both the CPRA and CDPA provide for certain contractual provisions for vendor agreements.
  • Prepare data privacy risk assessments. Under certain circumstances, your business may be subject to data privacy audits.

For now, stay tuned for regulations that may provide additional clarity or requirements. (The CPRA regulations must be promulgated prior to July 1, 2022.) Also, don't hesitate to contact the KMK Law Cybersecurity & Privacy Team for more information on how the CPRA, CDPA, and other various data privacy laws affect your business.

[1] Code of Virginia § 59.1-572(A).

[2] Cal Civ Code § 1798.140(d), as amended by the California Privacy Rights and Enforcement Act of 2020.

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.


© 2024 Keating Muething & Klekamp PLL. All Rights Reserved


Jump to Page