CDPA Consumer Rights

CDPA Consumer Rights

The Virginia Consumer Data Protection Act (CDPA) allows those who live in Virginia to control what companies can do with their personal data. More specifically, the legislation gives Virginia residents six specific rights regarding their personal information, which we'll explore below.

First, though, let's be sure we're clear on how the CDPA works and which businesses must comply with its terms.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

The CDPA in Brief

The State of Virginia passed the CDPA on March 2, 2021. The Act is designed to achieve two key aims:

  • Allow the residents of Virginia to control how businesses can access their personal or sensitive information
  • Give residents the power to opt out of any sale of their personal data

The Act also imposes obligations on companies to ensure they collect, process, and store personal data safely and responsibly:

  • Businesses must perform a risk assessment and ensure they have appropriate security measures in place to preserve data integrity at all times.
  • All companies subject to the CDPA must also ensure there's no discrimination against customers who choose to opt out of data selling, or who exercise their privacy rights in some other way.

Who Must Comply With the CDPA

The Act's scope is set out in section s.59.1-572.

Firstly, your business must comply with the Act if you sell goods or services in Virginia, or you sell goods or services aimed at residents of Virginia, and either one of the following applies:

  • Your business processes data belonging to at least 100,000 Virginia residents a year, or
  • Your business processes data belonging to 25,000 residents or more, and you earn over 50% of your gross annual revenue from selling personal data to third parties

If you're a commercial business, and you sell goods or services to customers in Virginia, it's most likely that you should comply with the Act. Seek legal advice, though, if you're at all unsure whether the Act applies.

Consumer Rights Under the CDPA

Consumer Rights Under the CDPA

If your business must comply with the Virginia Consumer Data Protection Act, you should understand which rights consumers have under the legislation.

Let's break down the six rights to illustrate how you might comply.

1. Right of Access

Customers have the right to know if you're collecting their personal data, and what you plan on doing with any information you process. As a business, you must give consumers access to the information you hold on them, if so requested. This is known as the right of access.

The easiest way to comply with this requirement is by including certain clauses in your Privacy Policy, which is a document that sets out your company's data processing policies in detail.

Include clauses covering:

  • Whether you collect data
  • What type of data you collect e.g. email addresses, credit card details
  • How consumers can request to access their data file

Starbucks, for example, collects data automatically or when customers provide it. It may also collect data from third parties:

Starbucks Privacy Statement: Information We Collect clause - Intro excerpt

The company then sets out examples of the data it collects:

Starbucks Privacy Statement: Information We Collect clause - Information You Voluntarily Provide Us section

And finally, there's a clause explaining how customers can access any data held on them:

Starbucks Privacy Statement: How to Manage Your Account Information and Your Privacy clause

You'll note these clauses are user-friendly and easy to read, which is what you should aim for when drafting your own clauses.

2. Right to Portability

Alongside the right of access, consumers can request a copy of the data stored on them in a convenient, portable format.

The idea behind "portability" is to let the customers transfer their data from one company to another, for example, if they decide to switch service providers, or they just want a copy of their data emailed to them for reference.

Complying with this obligation is relatively straightforward. If a customer asks for a copy of their personal data, ensure you provide it in a common, machine-readable format, such as a PDF or CSV file.

It's best if you try to verify a person's identity before you release any information to them. How you verify someone's identity will vary depending on the sensitivity of the data you hold.

3. Right to Opt Out

As mentioned, consumers have the right to stop you from:

  • Selling their personal data
  • Processing their data for targeted advertising
  • Using their information to profile the consumer unfairly e.g. to produce a legally binding outcome, such as a decision to offer credit, based purely on data profiling

You should set out such rights clearly within your Privacy Policy.

Take Tim Hortons, for example. Consumers can reject targeted advertising and cookies by following the instructions given:

Tim Hortons Privacy Policy: Privacy and Access Choices Available to You

As another example, Krispy Kreme has a bulleted clause setting out what rights consumers have regarding communications. Again, it also tell consumers how they can exercise these rights, which is a detail you should always include:

Krispy Kreme Privacy Policy: Your Choices clause excerpt

4. Right to Correction

If a consumer can access their personal data and obtain a copy, it makes sense that they can also ask you to amend their data.

Make sure you highlight this consumer right in your Privacy Policy. Krispy Kreme, for example, describes it as a right to update account information (see last screenshot), while Tim Hortons includes the right to correct inaccuracies as part of its clause on data access rights:

Tim Hortons Privacy Policy: Data Access clause

How you word this clause may vary, but what's important is that customers know they can amend their data, and how they can go about doing so.

5. Right to Deletion

A consumer can ask you to delete their personal information. They're not obliged to provide a reason. It's simply stated in section 59.1-573 as the right to "delete his personal data."

Here's an example of what such a clause might look like in your Privacy Policy from Starbucks:

Starbucks Privacy Policy: Deletion Request rights clause

6. Right of Appeal

Under the Virginia Consumer Data Protection Act section 59.1-573, you should respond to a consumer request within 45 days of receipt. You can only extend this deadline if there's a compelling reason to do so e.g. it's a complex access request.

You should also provide customers with the data they request free of charge up to twice per year.

You can charge a reasonable fee for multiple requests. What's reasonable depends on your business and the complexity of the request.

If you try to charge the consumer unfairly, refuse to release information, or if you fail to respond in a timely manner, then the consumer can appeal your decision.

Complying With CDPA Consumer Rights Obligations

Complying With CDPA Consumer Rights Obligations

Although we do cover compliance requirements in detail elsewhere, it's worth touching on the three main steps companies can take to ensure CDPA compliance.

1. Draft a Privacy Policy

As mentioned, consumers have the right to know whether you collect their data and, importantly, what you plan on doing with it. They also have the right to access the data you hold.

We touched on this above, but you can facilitate these rights through a Privacy Policy.

Remember, a Privacy Policy sets out whether you collect personal information and how you use it. You can comply with the CDPA by ensuring you have a Privacy Policy somewhere accessible on your website e.g. the website footer and/or at checkout.

You should also ensure you include your contact details, so a customer can reach you to exercise their consumer rights.

2. Impose Limitations on Collection and Use

Under the CDPA section 59.1-574, businesses should limit how much data they collect.

In other words, here is what the clause means in practical terms:

  • You should only collect as much data as you need to satisfy a defined purpose
  • This purpose must be made clear to the consumer i.e. in your Privacy Policy or via another appropriate notice
  • You can't collect data for any other unrelated purpose without express consent from the consumer

If there's any doubt whether you have consent to process data in a certain way, it's always best to get express consent before proceeding.

3. Maintain Appropriate Safeguards

Finally, every business handling personal data belonging to a Virginia consumer must ensure there's sufficient security in place to protect the information at all times.

You can do this by:

  • Performing a data protection assessment i.e. risk assessment
  • Ensuring staff use strong passwords which they keep safe
  • Installing security software and ensuring it's up-to-date
  • Encrypting data and storing it at a secure location

If you don't have in-house IT personnel, consider hiring a managed services provider or other IT specialist to check your system security.

Penalties for Non-Compliance

Should companies fail to comply with the CDPA, they may face financial penalties. The penalties are set out in section 59.1-579.

In other words, businesses have 30 days from the date of notice to remedy any breaches identified under the CDPA. If they fail to act, they could face a penalty of $7,500 per breach. Meaning, for example, if a company commits two violations, they could face a penalty of $15,000.

If you're concerned regarding how to comply with the Virginia Consumer Data Protection Act, seek legal advice as soon as possible.

Notably, it's on the Attorney General to decide whether or not to pursue an action. There's no private right of action for customers to sue companies who don't comply with the Act.

For customers, this is a clear shortcoming in the legislation. However, it's as yet unclear how rigorously the Attorney General will pursue businesses under the CDPA.


The Virginia Consumer Data Protection Act, or CDPA for short, gives customers six fundamental rights over their personal data.

Consumers have the right to:

  • Access personal data held on them by commercial businesses
  • Ask for a copy of their personal data records in a portable, convenient format
  • Opt out of any sale of their personal data for marketing or commercial purposes
  • Correct any errors in the personal information stored on them
  • Request that companies delete their personal data
  • Appeal if a business doesn't comply with a request within a reasonable period (typically within 45 days of the request)

To help consumers exercise these rights, businesses should ensure there's a Privacy Policy on their website with the company's contact details. They should also make sure that people understand the rights the CDPA gives them and, where appropriate, they must act on a customer's request as soon as possible.

Finally, businesses should ensure they have proper safeguards in place to protect customer data, and they should only collect as much data as they need for a clearly identified purpose.

A failure to ensure consumers can exercise their rights under the CDPA means you are likely to face financial penalties or, at a minimum, reputation damage.