The Virginia Consumer Data Privacy Act (CDPA), which will go into effect on January 1, 2023, has been amended. On April 11th, 2022, Virginia Governor Glenn Youngkin signed into law three bills amending the CDPA.
The main amendments to the current state privacy law are a new exemption to the right to delete, a repeal of the consumer fund provision, and a modification to the CDPA’s definition of a nonprofit.
Why Change The CDPA?
These amendments were inspired by a November 2021 report by the working group that was set up under the law to suggest improvements. Because the Virginia CDPA does not provide the state Attorney General with any authority to alter the law or create new rules, changes to the law must come from Virginia's state legislature.
What Changes do these amendments make to the Virginia CDPA?
Bill HB 381, aims to give data controllers who obtain consumer personal data indirectly more options to comply with the consumer's right to deletion by allowing them to achieve compliance with a request from the consumer to delete by either: (a) “retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose” or “opting the consumer out of the processing of such personal data for any purpose except for those exempted.”
Also amended is the definition of "nonprofit organizations", which were already exempted from the requirements of the CDPA, but have had their exemptions expanded. The definition of a "nonprofit" under the CDPA has now been expanded to include “any political organization” which the legislature defined as a “party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.”
Finally, the CDPA was amended to repeal the Consumer Privacy Fund, instead opting to pay any penalties, expenses, or fees collected in the enforcement of the CDPA directly to the State Treasury, and to credit them to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.
Preparing a Roadmap for Consumer Privacy Compliance in 2023
While the changes made in these amendments aren't fundamental to the meaning, requirements, or enforcement of the CDPA, they do signal the finalization of the law, which will go into effect on January 1st, 2023.
2023 is set to be a big year for consumer privacy in the United States, with the CDPA, CPRA, and UCPA all coming into effect. To help prepare your compliance roadmap for 2023 and beyond, we've put together our State Privacy Law Tracker, where you can compare the requirements of the various consumer privacy laws already passed in the United States as well as the 20+ laws currently in the legislature.
For a more in-depth discussion of consent management and the future of data privacy, join us on May 11th for our webinar, Updating Your Consent Experience for a Modern Privacy Landscape, featuring guest speakers from Forrester Research.