Sample Virginia CDPA Privacy Policy Template

Sample Virginia CDPA Privacy Policy Template

If you're a commercial business selling goods or services to the residents of Virginia, then you need to understand how Virginia's Consumer Data Protection Act (CDPA) affects you.

Essentially, if you fall under the Act's jurisdiction, you must take steps to inform Virginia residents of their data protection rights and help them exercise these rights if they choose to do so.

One of your main responsibilities under the CDPA is drafting a Privacy Notice, or Privacy Policy, setting out these rights in more detail.

Let's break down how the Act works and what a CDPA-compliant Privacy Policy looks like.


What is the CDPA?

The Consumer Data Protection Act protects what's known as personal data, or personal information. Personal information is defined in Section 59.1-571 as, basically, any single piece of data you can use to identify an individual person:

Virginia Legislative Information System: CDPA - Definition of personal data

So, examples of "personal data" can include information such as names, email addresses, IP addresses, and even employment data.

As a business, you have various obligations under the CDPA. You must:

  • Draft and publish a Privacy Notice or Privacy Policy. This sets out what rights people have over their data and how you facilitate these rights.
  • Take steps to reduce or minimize how much data you collect.
  • Ensure you get consent before collecting "sensitive" personal data. This includes all data belonging to minors, and data you can use to identify sensitive characteristics like someone's mental health status.
  • Provide sufficient cybersecurity to protect any personal data you handle.

Although we're focusing on Privacy Policies, just be aware it's not the only obligation you have under the Act.

Before we move on, here's something to bear in mind. The CDPA won't become law until January 1, 2023. However, the earlier you draft your Privacy Policy, the more prepared you'll be when the law comes into force.

Also, other laws require a Privacy Policy, so if you don't have one yet, you will need one anyway.

Who Must Comply With the CDPA?

To be clear, Virginia's CDPA only applies if you're a commercial, for-profit business selling goods or services to Virginia residents and you either:

  • Derive more than 50% of your gross revenue from selling personal information and process personal data belonging to more than 25,000 residents, or
  • Process data belonging to more than 100,000 Virginia consumers

So, most B2C companies selling in Virginia will need to comply, which of course means drafting a Privacy Policy. However, if you're a non-profit, the CDPA doesn't apply to you.

How to Write a CDPA-Compliant Privacy Policy

How to Write a CDPA-Compliant Privacy Policy

Think of a Privacy Policy as a written notice of what happens to someone's personal data from the moment they share it with you, until the moment it's permanently erased.

What a Privacy Policy must include varies slightly depending on which law applies, but basically, if you need to write a CDPA-compliant Privacy Policy, here's what it should include.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

First, you need to introduce the Policy, explain which laws apply, and provide some contact details for people to reach you.

Next, you must include clauses explaining the following:

  • Individual rights: This clause tells people what rights they have, and how to exercise them.
  • Personal data collection: What information you collect from someone.
  • Purpose of collection: The reason(s) why you process this data.
  • Personal data usage: What you do with the data.
  • Third party sharing: Who you share the data with, and why.
  • Sale of data: The clause detailing whether you sell data, and who you sell it to.

Now, let's break down each of these clauses, one at a time.

Introduction

The introduction simply sets out what the document is, and what it covers.

  • Include the effective date i.e. the date the Policy came into force.
  • Explain that it's a Privacy Policy, which tells people what happens to the data they share with your business.
  • Confirm that the person can't use your website unless they agree to your Privacy Policy.

Here's a good example from Papa Murphy's. In just a few lines, it sets out what they Policy is, what it covers, and where people can find out more:

Papa Murphys Privacy Policy: Introduction section

You'll note they last updated the Policy on November 30, 2020. Make sure to always change the date to reflect when you last amended your Policy so people know how up to date (or not) that it is.

Jurisdiction

In this context, jurisdiction simply means which federal or state laws govern the agreement between you and the consumer. In other words, it's which laws apply if there's ever a court action or disagreement.

Wendy's, for example, relies on laws set by the State of Ohio:

Wendys Terms and Conditions: Choice of Law clause

As you'll see from this clause, you don't need much detail here. Just include enough so consumers know which state or federal laws apply.

Contact Details

You must ensure consumers know how to contact you with any questions about your Privacy Policy, or to exercise their rights. Ideally, this means providing at least two ways to contact you, but you can always include more.

For example, Papa Murphy's provides an email address, phone number, and mailing address. Including at least one free option like an email address is good practice:

Papa Murphys Privacy Policy: Contact clause

The Rights of the Individual

As set out in Section 59.1-573, the CDPA gives consumers five specific rights over their personal data. Basically, people can ask to see what data you hold on them, and you must delete it upon request. You must also amend any errors they point out, and if they refuse to let you sell their data, you must comply with this:

Virginia Legislative Information System: CDPA - Personal data rights: Consumers section

Your Privacy Policy should explain these rights and how people can exercise them. Keep this clause simple and easy for the average reader to understand.

Here's an example from Macy's. Although it's for the California Consumer Privacy Act (CCPA) the principle is the same:

macys-highlights-notice-privacy-practices-california-residents-rights-clause

The Data You Collect

Tell customers what data you collect, and how you collect it. Give examples, but don't be so restrictive that you can't collect anything else.

  • Use language like "such as" to show the examples you're giving aren't exhaustive.
  • Be clear about the ways you collect data e.g. maybe someone voluntarily shares it with you, or you collect it through automated means.

Wendy's for example, collects data in three ways:

Wendys Privacy Policy: Information We Collect clause

Notice how the phrasing says "such as" to illustrate how the list isn't exhaustive, but is rather giving some examples:

Wendys Privacy Policy: Information We Collect clause - Information You Provide Us section

You should also set out how you actually collect this data e.g. if you use cookies or if you rely on customers sharing the information with you.

Here's an example from Macy's of how you might structure this section:

Macys Highlights of Notice of Privacy Practices: How we collect information clause

Purposes of Data Collection and How You Use the Data

Tell customers why you're collecting the data in the first place e.g. to complete an order or to personalized your marketing. Again, the clause should be clear, succinct, and easily understood.

Papa Murphy's has a good example of how to set out a clause like this in short, simple paragraphs:

Papa Murphys Privacy Policy: Our Use of Information clause

Tell consumers how you plan on using their data. The golden rule is this: If you can't articulate why you need a piece of data e.g. someone's date of birth, then you shouldn't collect it.

To be sure you're not limiting yourself, you can use language like "for example" or "such as" to ensure people know you might use their data for other purposes.

Barnes & Noble, for example, uses the phrase "manage our business," which can be interpreted very widely:

Barnes and Noble Privacy Policy: How do we use your personal information clause

You're trying to strike a balance between ensuring there's enough information available for people to give informed consent to your Privacy Policy, and ensuring you're free to run your business.

Your Personal Data Sharing Policies

If you share personal data with any source, whether it's for marketing or some other purpose, you must declare this in your Privacy Policy. Even if you're only sharing data internally between departments, consumers have the right to know this.

Macy's helpfully breaks this clause down into concise, clear paragraphs with bolded wording so consumers can easily the key information:

Macys Highlights of Notice of Privacy Practices: How we share your information clause

If you use cookies or another tracking technology, you would specify it here, like this example from Garden Season. You'll note how the company also explains how people can reject cookies, which is great practice because it's helping people to facilitate their privacy rights:

Garden Season Privacy Policy: Cookies clause

Selling Personal Information

By "selling" personal information, we're talking about selling personal data to third parties. If this is something you do, you must highlight this in your Privacy Policy. Moreover, you must tell customers how they can opt out of this.

Here's an example from Wendy's. Wendy's tells customers they have the right to opt out:

Wendys Privacy Policy: Right to opt-out of the sale of personal information clause

Wendy's also provides the means for users to do so:

Wendys Privacy Policy: Exercise rights clause

Note that even though the CCPA is referenced in the clause, the same approach will go for the CDPA and other privacy laws. The concept remains the same even though the law may have a different name.

Where to Display Your CDPA Privacy Policy

Where to Display Your CDPA Privacy Policy

It's not enough to just draft a Privacy Policy. You must also ensure consumers have the chance to read it before they hand over any personal data.

There are three places in particular you should link to your Privacy Policy.

Make it easy for people to find your Privacy Policy by placing a link in your footer. Ideally, you should place the link beside your other key documents so consumers can read them together.

Here's an example from Martha Stewart:

Martha Stewart website footer with Privacy Policy link highlighted

You'll notice the link is right beside the Terms of Service and other critical information. Users are familiar with this set-up of putting important links in the footer, so it's a common best practice.

At the Point of Data Collection

Under the CDPA, you don't always need someone's consent to collect their data. However, remember, if you're collecting sensitive data, you will need consent.

What constitutes consent? Well, under the CDPA, it must be clear, freely offered, and affirmative. In other words, a consumer must do something to clearly indicate they're consenting to personal data processing.

The best way to get express consent? Use a checkbox to indicate the consumer consents to your Privacy Policy.

Here's an example from Little Caesars Pizza. Before the customer opens an account by submitting their personal information, they must clearly indicate they've read and agree to the Privacy Policy:

Little Caesars Create Account form with checkboxes

Within Other Policies

Give consumers easy access to your Privacy Policy by linking to it within other documents, like your Terms of Use or Cookies Policy.

Here's a great example from Wendy's. There's a link to the Privacy Policy near the start of the Terms and Conditions, so consumers can quickly flip between both documents:

Wendys Terms and Conditions: Contents and Summary clause with Privacy Policy link highlighted

Wendy's places the key information consumers need at their fingertips in this useful summary of contents.

What Happens if Your Privacy Policy Doesn't Comply With the CDPA?

If your Privacy Policy doesn't meet the standards set out in the Consumer Data Protection Act, you could be fined up to $7,500 for the violation.

Essentially, if a customer complains about your Privacy Policy, the Attorney General will give you 30 days to correct whatever's gone wrong with your data collection practices. If you don't comply with the Attorney General's request, you'll likely face a financial penalty. The rules are set out in Section 59.1-579 of the Act:

Virginia Legislative Information System: CDPA - Violations of chapter: Civil penalty section

To be clear, the consumer can't "sue" you directly if there's anything wrong with your Privacy Policy. They must go through the Attorney General.

Key Takeaways

If you're a business selling goods or services to Virginia residents, you need to comply with Virginia's CDPA. This Act gives people new rights over their personal data, and it restricts what businesses can do with the personal information they collect.

In particular, if you fall under the CDPA's jurisdiction, you must draft a Privacy Notice, or Privacy Policy, explaining at minimum the following seven things:

  • Whether you collect personal data from consumers
  • Which laws apply, should anything go wrong with the agreement
  • Why you need a consumer's personal information
  • Who you share the personal data with
  • Whether you sell personal information to third parties
  • What rights a consumer has over their personal data
  • How they can contact you to exercise these rights

You should display your Privacy Policy somewhere obvious on your website to ensure consumers have the chance to read it before they provide any personal data. This includes placing a link to your Policy in the website footer and within your other key documents. You should also link to it at the point of data collection e.g. when someone opens an account or signs up for an email marketing list.

If you fail to comply with your responsibilities under the CDPA, you could be fined up to $7,500 per violation.