We have long predicted that just as other states followed California in passing breach notification laws, states would follow in California’s footsteps in regulating information privacy practices with the California Consumer Privacy Act of 2018 (CCPA), which was later amended by the California Privacy Rights Act of 2020 (CPRA).[1] The Virginia state legislature recently became the first state to do so, surprising many with news that it quickly passed and signed into law comprehensive privacy legislation, namely the Virginia Consumer Data Protection Act (CDPA). Like the CCPA, Virginia’s CDPA builds on the Fair Information Privacy Principles (FIPP), making many of the lessons learned implementing the CCPA applicable here. The CDPA will take effect January 1, 2023.

This five-part series on Virginia’s CDPA provides a detailed overview of the act, and how it compares to California’s approach to privacy under the CCPA and CPRA. The series will be divided into the following parts:

  1. Introduction and Overview
  2. Consumer Rights
  3. Notice and Disclosure Obligations
  4. Data Processing Obligations
  5. Enforcement

At the conclusion of the series, Troutman Pepper will host a webinar on the Virginia CDPA on April 15, 2021. Please click here to register.

  • Installment No. 1: Introduction and Overview

Available: here

  • Installment No. 2: Consumer Rights

Available: here

  • Installment No. 3: Notice and Disclosure Obligations

Available: here

  • Installment No. 4: Data Processing Obligations

Available: here

  • Installment No. 5: Enforcement

Available: April 1, 2021


[1] Unless stated otherwise, the term “CCPA” is intended to reference the CCPA and CPRA in general. Where we felt it was necessary to draw a distinction between the CCPA and CPRA, we did so by explicitly stating such.