Beta version

Virginia Consumer Data Protection Act (CDPA) Compliance

Please note that the information provided below is not intended as legal advice and we cannot be held legally responsible for it. We have sought legal counsel and the content on this page reflects our interpretation of the law. If you have any concerns about compliance with CDPA, we recommend sharing this page with your legal team.

The Virginia Consumer Data Protection Act (CDPA) is a comprehensive privacy law that was passed in the state of Virginia in 2021. It applies to any business that processes the personal data of Virginia residents, regardless of where the business is located.

The CDPA requires businesses to be transparent about their data collection, use, and sharing practices, and gives Virginia residents the right to access, correct, and delete their personal data, as well as the right to opt out of the sale of their personal data. The CDPA also imposes significant fines and penalties on businesses that violate its provisions, making it one of the strongest privacy laws in the United States.

Some key points to consider when determining if CDPA applies to a business include:

  • Who is considered a "consumer" under the Act: According to the Act, a "consumer" is a natural person who is a resident of Virginia acting only in an individual or household context. This means that the law does not cover employee data or data collected in a professional context.
  • What is considered a "sale of personal information" under the Act: The Act defines "sale of personal information" as the exchange of personal data for monetary consideration by the controller to a third party. This means that exchanging user data for non-monetary goods would not qualify as a sale of data.

How CDPA Affects Web Analytics?

The Virginia Consumer Data Protection Act considers the following types of data to be sensitive:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status (Article 3.2(iii))
  • Personal data collected from a known child (Article 3.2(iv))
  • Personal data reflecting a person's transaction or experience (Article 3.2(v))
  • Personal data derived from genetic or biometric data (Article 3.2(vi))
  • Personal data collected through the use of geolocation technology (Article 3.2(vii))
  • Personal data collected through the use of an audio, electronic, or similar device (Article 3.2(viii))
  • Personal data collected through the use of a voice recognition device (Article 3.2(ix))
  • Personal data from a consumer's Internet browsing history or search history (Article 3.2(x))
  • Personal data from a consumer's use of an Internet website or online service (Article 3.2(xi))
  • Personal data from a consumer's use of a mobile application (Article 3.2(xii))

Under the CDPA, controllers of sensitive personal data must implement additional protections for the data and must obtain affirmative express consent from consumers before collecting, using, or disclosing the data.

Does Proxima Comply with **CDPA**?

Proxima Analytics is compliant with the Virginia Consumer Data Protection Act (CDPA) due to the following practices:

  • We do not collect sensitive data, as defined by CDPA. This includes biometric, genetic, mobile, or personal data (Article 3.2).
  • We heavily anonymise all data collected through the use of hashing techniques (Article 3.2).
  • We do not store raw data, such as IP addresses or user agents (Article 3.2).
  • Our customers have the ability to toggle the collection of geolocation, device, and operating system information (Article 3.2).

By following these practices, we ensure that we are in compliance with the CDPA and protect the privacy of our customers' website visitors.

As the Virginia Consumer Data Protection Act (CDPA) is relatively new, having only gone into effect on January 1st, 2023, it is important for companies like Proxima Analytics to stay up-to-date on the latest interpretations of the law.

There are still many questions surrounding the implementation of certain provisions, such as the requirement for obtaining data privacy consent or the need for data processing agreements with parties that handle personal data on behalf of a business. Until these issues are more clearly defined, it will be necessary for companies to remain vigilant and adapt to any changes in the legal landscape. However, Proxima Analytics is committed to complying with the CDPA and ensuring the privacy and protection of personal data.