Virginia Governor Signs 3 CDPA Amendments into Law
Virginia Governor Signs 3 CDPA Amendment...

Virginia Governor Signs 3 CDPA Amendments into Law

The three bills take effect July 1st, 2022. Here's what you need to know

Tess Macaplinac Lead Privacy Counsel, OneTrust

clock2 Min Read

Featured Image

On April 11th, 2022, Virginia Governor Glenn Youngkin signed three bills amending the Virginia Consumer Data Protection Act into law.  

The main stipulations these bills add to the existing state privacy law are: 

  1. Adding a new exemption to the CDPA’s right to delete 
  2. Repealing the Consumer Privacy Fund provision, and instead, direct penalties, expenses and attorney fees recovered enforcing the CDPA to a different fund 
  3. Modifying the CDPA’s definition of a nonprofit 

As the second state to pass comprehensive consumer data privacy protection legislation, Virginia has now finalized the CDPA coming into effect on January 1, 2023. 

What do these amendments change in the Virginia CDPA? 

Bill HB 381, covering the exemption to the right to delete, is expanded upon as follows: 

Under this amendment, controllers that get personal data about a consumer from a source other than the consumer can fulfill a consumer’s request to delete in two new ways.  

The first involves keeping a record of the request for deletion and retaining the minimum amount of information needed to ensure that the data remains deleted from controller’s records. Notably, this information cannot be used for any business purpose. 

The second option has the controller opting the consumer out of the processing of this personal information for any purpose other than the relevant exceptions to deletion. These exemptions include maintaining information for legal or compliance purposes, and to protect against security and fraud issues. 

The other two bills, SB 534 and HB 714, repeal the Consumer Privacy Fund.  

They then state that the penalties, expenses, and fees collected from enforcing the Virginia CDPA should be paid to the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. 

These bills also modify the definition of a nonprofit under the CPDA.  

Nonprofits are now expanded to include political organizations and any organization exempt from taxation under the Internal Revenue Code.  

What do the CDPA amendments mean for businesses? 

With the signing of these amendments the CDPA is now finalized, allowing business to get a head start on compliance with a clear direction in mind.  

As organizations map out their data policies and processes with the CDPA regulations in mind, the amendments regarding the exemption to delete and the modified definition of nonprofit are ones to note for businesses to maintain compliance from the start of 2023. 

Further Resources on the CDPA: 

Virginia CDPA Law

You Might Also Be Interested In


JUN 08, 2022

The New Digital and Data Strategy in the EU and UK: DMA, DSA and the UK Online Safety Bill

MAY 18, 2022
Consent and Preferences

IAB TCF 2.0 Checklist for Publishers

JUN 01, 2022
Privacy Automation

From Data Compliance to Data Intelligence

JUN 01, 2022

7 Ways Trusted Brands Promote Their Security, Privacy, Ethics, and ESG Programs

JUN 01, 2022
Regulations

Thailand Personal Data Protection Act Takes Effect

MAY 16, 2022
Third-Party Risk

OneTrust is a Leader in Third-Party Risk Management Platforms

MAY 26, 2022
GRC

How successful security teams manage risk to build trust and drive growth

JUN 02, 2022
Privacy Automation

OneTrust and Microsoft Come Together to Automate Employee Rights Requests

BackToTop
Onetrust All Rights Reserved