The Consumer Data Protection Act (CDPA) is a consumer privacy law in the Commonwealth of Virginia expected to be effective January 1, 2023.


CDPA applies to all people that conduct business in the Commonwealth of Virginia and either:

  1. control or process personal data of 100,000 or more consumers, or
  2. derive over 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.


CDPA protects the personal data of consumers. “Consumer” is narrowly defined as a “natural person…acting only in an individual or household context” while “personal data” is “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Personal data does not include de-identified data or publicly available information.

Under the CDPA, a controller of personal data must limit its collection of personal data and implement security measures to protect the data, among other things. A consumer must give consent before a controller processes any sensitive data. Sensitive data includes information about race, religion, sexual orientation, citizenship status, and genetic and biometric data.

CDPA also requires a controller to perform a data protection assessment if the processing activities are done for any of the following reasons:

  • For purposes of targeted advertising
  • For the sale of personal data
  • The processing of personal data for certain types of profiling
  • Processing activities that present a heightened risk of harm to consumers
  • The data to be processed is sensitive

Because the CDPA applies in a “household context,” it has several important carve outs and does not apply to individuals in an employment or commercial context. Further, CDPA does not apply to state or local governmental entities and has exceptions for certain information regulated by federal privacy laws including information protected under HIPAA, GLBA, FCRA, and FERPA. Nonprofits are also exempt from CDPA.

The CDPA grants consumers with the right to:

  • Confirm if a controller has his or her data
  • Access data that is held by a controller
  • Correct inaccuracies in the personal data
  • Request a controller delete personal data
  • Opt-out of having his or her data used for targeted advertising


CDPA does not provide individuals with a private right of action. The Attorney General of the Commonwealth of Virginia is solely responsible for enforcement.


The Attorney General may seek up to $7,500.00 per violation of CDPA. Both controllers and processers may be fined.