Virginia Governor Signs 3 CDPA Amendments into Law
Virginia Governor Signs 3 CDPA Amendment...

Virginia Governor Signs 3 CDPA Amendments into Law

The three bills take effect July 1st, 2022. Here's what you need to know

Tess Macaplinac Lead Privacy Counsel, OneTrust

clock2 Min Read

Featured Image

On April 11th, 2022, Virginia Governor Glenn Youngkin signed three bills amending the Virginia Consumer Data Protection Act into law.  

The main stipulations these bills add to the existing state privacy law are: 

  1. Adding a new exemption to the CDPA’s right to delete 
  2. Repealing the Consumer Privacy Fund provision, and instead, direct penalties, expenses and attorney fees recovered enforcing the CDPA to a different fund 
  3. Modifying the CDPA’s definition of a nonprofit 

As the second state to pass comprehensive consumer data privacy protection legislation, Virginia has now finalized the CDPA coming into effect on January 1, 2023. 

What do these amendments change in the Virginia CDPA? 

Bill HB 381, covering the exemption to the right to delete, is expanded upon as follows: 

Under this amendment, controllers that get personal data about a consumer from a source other than the consumer can fulfill a consumer’s request to delete in two new ways.  

The first involves keeping a record of the request for deletion and retaining the minimum amount of information needed to ensure that the data remains deleted from controller’s records. Notably, this information cannot be used for any business purpose. 

The second option has the controller opting the consumer out of the processing of this personal information for any purpose other than the relevant exceptions to deletion. These exemptions include maintaining information for legal or compliance purposes, and to protect against security and fraud issues. 

The other two bills, SB 534 and HB 714, repeal the Consumer Privacy Fund.  

They then state that the penalties, expenses, and fees collected from enforcing the Virginia CDPA should be paid to the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. 

These bills also modify the definition of a nonprofit under the CPDA.  

Nonprofits are now expanded to include political organizations and any organization exempt from taxation under the Internal Revenue Code.  

What do the CDPA amendments mean for businesses? 

With the signing of these amendments the CDPA is now finalized, allowing business to get a head start on compliance with a clear direction in mind.  

As organizations map out their data policies and processes with the CDPA regulations in mind, the amendments regarding the exemption to delete and the modified definition of nonprofit are ones to note for businesses to maintain compliance from the start of 2023. 

Further Resources on the CDPA: 

Virginia CDPA Law

You Might Also Be Interested In


JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

JANUARY 9, 2023

Navigating the California Privacy Rights Act as a HIPAA-compliant business

JANUARY 6, 2023

US state privacy bills on the horizon in 2023

BackToTop
Onetrust All Rights Reserved