Sample Virginia CDPA Privacy Policy Template

If your company will be collecting personal information from the residents of Virginia who register for your services online or visit your website, then you are required to comply with the terms of the state's Consumer Data Protection Act (CDPA).

The CDPA will become effective on January 1, 2023.

What Is CDPA?

CDPA (Virginia Consumer Data Protection Act) is a privacy legislation that applies to anyone that does business in the Commonwealth of Virginia.

What this means for you is that you will need to review your website's Privacy Policy and, if necessary, update it to meet the demands of the CDPA.

If you don't have a Privacy Policy, you better get one written post haste. Having a Privacy Policy posted publicly with data protection and privacy terms are just about the most significant part of compliance with Virginia's new law.

Whether you need to write a Privacy Policy from scratch or are worried about what needs to be updated, we've got you covered. To ensure that you have a CDPA-compliant Privacy Policy, let's dive into what you need to do before 2023 arrives.

Virginia's CDPA brings the United States a giant leap forward toward the same kind of rigid privacy and data security laws found in the European Union. Some have also compared the CDPA to California's Consumer Privacy Act (CCPA), which, until the CDPA passed, was the most stringent data privacy law in the United States.

However, the CDPA surpasses the CCPA in its imposition upon companies of security and assessment requirements.

Who Does the CDPA Apply to?

The CDPA applies to anyone that does business in the Commonwealth of Virginia. It also applies to those who provide services or who produce products targeted to the state's residents.

Additionally, the CDPA applies to you if your company:

• Processes or controls the personal data of at least 25,000 consumers, and you obtain more than 50 percent of gross revenue from selling that information, or
• Processes or controls the personal information of at least 100,000 consumers in the space of one calendar year

Who is a Consumer?

The law's definition of consumer is "a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context."

What is Personal Data?

According to the CDPA, the definition for "Personal Data" is "any information that is linked or reasonably linkable to an identified or identifiable natural person." Exceptions to this definition include:

• Publicly available information
• Data which has been de-identified (information that "cannot reasonably be linked to an identified or identifiable natural person [or] a device linked to such person")

Types of Personal Data

The CDPA outlines what kinds of personal information are considered private and which you must protect. These are:

• Precise geolocation data
• Any information that reveals ethnic or racial origin
• Religious beliefs
• Sexual orientation
• Mental or physical health diagnoses
• Immigration or citizenship standing
• Biometric data
• Personal information collected from a known minor

What is Consent?

Under the CDPA, "consent" is "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." You are required to acquire the explicit consent of Virginia residents before processing any of their personal information.

What's the Penalty for Not Having a CDPA-Compliant Privacy Policy?

If you fail to maintain a CDPA-compliant Privacy Policy, you could end up facing a fine of up to $7,500 per violation. Many will consider that a pretty hefty price tag for a violation. However, business owners need to consider that the company may also have to pay "reasonable expenses" incurred while preparing and investigating the case in addition to the fine.

Reasonable expenses may also include attorney's fees.

CDPA-Compliant Privacy Policies FAQs

You may find answers to the list of the following questions useful.

Do I need to have a CDPA-Compliant Privacy Policy?

If you do business in the Commonwealth of Virginia, then yes.

You must provide a Privacy Policy that discloses information such as:

• The categories of personal information you process
• What categories of personal information you share with third parties
• What categories of third parties you share information with
• Why you collect that information
• How consumers can exercise their rights
• Contact information

If I already have a Privacy Policy, how do I update it for the CDPA?

To update your existing Privacy Policy for CDPA-compliance, first remember that it must be "reasonably accessible, clear, and meaningful."

Lawmakers weren't super clear about what that actually means. However, if you use the CCPA as a model (whose legislators were more conscientious in providing businesses with clear definitions and instructions), then in addition to ensuring the information mentioned above is included, you'll want to:

• Make sure your Privacy Policy is written in clear and easy-to-understand language. Leave out technical and legal jargon.
• Use a layered format. Use a structure for your Privacy Policy that makes it easy for the reader to scan quickly for relevant information.
• Post your Privacy Policy in a prominent location on your website or link to it from that location (common areas include your website's footer, beneath opt-in forms, and on check-out forms). Additionally, ensure that any link to your Privacy Policy is conspicuous and does not blend in with surrounding text.
• Provide consumers with the option to download and print your Privacy Policy. Also, format your Privacy Policy so that if someone prints it out, it remains easy to read.

How do I make my CDPA Privacy Policy Enforceable?

If your Privacy Policy doesn't include a means of recording that a consumer has read and agreed to its contents, then it won't be considered an agreement. If it isn't an agreement between you and your website's visitors, it's simply a notice and not something you can enforce.

To ensure that your Privacy Policy can be used as a successful delimiter of rights or disclaimer, you'll want to include a button next to text that states, "I have read and agree to the terms of the Privacy Policy." The button should say "I Agree."

You can alternatively use an unticked checkbox next to a statement like that mentioned above. To advance, users would have to tick the checkbox to affirm that statement.

How to Create a CDPA-Compliant Privacy Policy

In essence, to create a Privacy Policy that's as airtight as possible, you'll want to ensure that:

• Consumers understand what their rights are when it comes to data privacy.
• You are transparent about how you'll comply with the wishes of consumers when they exercise their rights.
• Consumers understand you won't discriminate against them for exercising their rights.

Before you begin writing your Privacy Policy, you'll also want to conduct a self-audit of your privacy and data protection practices. That way, you'll better know what specific information you need to disclose.

Types of Information You Collect

Your Privacy Policy needs to have as one of its main sections the type of data your company collects. As noted previously, you need to be transparent about the categories of information that you collect.

For example, Dollar Tree lists an incredibly long list of personal data categories it collects from customers and the specific types of data it collects:

While the screenshot above provides a quick snapshot of how the company lays out its data collection practices in its Privacy Policy, pay attention to how thorough and comprehensive the company is with disclosing its data collection practices.

A context and specific types of data are given for each instance where information is collected:

• Account Registration: We collect your name, contact information, and password information when you create an account. We also collect information relating to the actions that you perform while logged into your account.
• Client Information: We collect the name and contact information of our clients and their employees with whom we may interact.
• Cookies and First Party Tracking: We use cookies and clear GIFs. "Cookies" are small pieces of information that a website sends to a computer's hard drive while a website is viewed.
• Cookies and Third-Party Tracking: We participate in behavior-based advertising, which means that a third party uses technology (e.g., a cookie) to collect information about your use of our website so that they can provide advertising about products and services tailored to your interests on our website, or on other websites.
• Coupons/Loyalty Program Information: We may collect your telephone number, email address, name and other contact information, birthday, gender, location information, personal preferences, and password information to administer loyalty and coupon programs.

Dollar Tree goes on to list other categories for which personal information is collected. These include:

• Demographic Information
• Distance Information
• Email Interconnectivity
• Employment (Prospective)
• Feedback/Support
• Mailing List
• Mobile Devices
• Order Placement
• Partner Promotion
• Surveys
• Sweepstakes or Contests
• Website Interactions
• Web logs
• Wish Lists

Use of Data and Processing Information

The next section you should include is how you use and process personal information. A Virginia-based company that lays everything out on the table is DXC.technology. Like Dollar Tree, it goes into explicit detail as to how consumer information is both used and processed.

Just one example is how the company uses data to fulfill transaction requests:

A few other ways DXC uses and processes consumer data is to:

• Personalize the user experience on websites
• Provide support for customers
• Marketing to customers
• Aid in recruitment efforts
• Monitor or record calls, chats, and other interactions
• Help protect the company's rights and property

Who You Share Data With

Every company that collects personal information from its customers should specify the information they share with third parties as well as what category of third parties it shares data with.

Here's how General Dynamics discloses this information:

How Consumers Can Exercise Their Rights

Make sure you include a section that details how consumers can exercise their rights under the CDPA.

Northrop Grumman provides the information consumers need, but they certainly aren't as simple and easy to understand in their language as perhaps they should be:

Contact Information

Your customers should always know how to contact you to discuss the information you collect on them or your Privacy Policy in general. All you need here is a simple contact clause. Keep in mind that the more ways you give customers to contact you, the better.

General Dynamics provides a super simple, brief statement about how customers can contact the company regarding its Privacy Policy and other matters:

Summary of a CDPA Privacy Policy

The CDPA sets out some of the most comprehensive requirements for companies that do business in the Commonwealth of Virginia. Similar in many ways to California's CCPA, the CDPA lays out rules for the privacy and protection of the personal information of Virginia residents.

One of the major requirements of the law is a Privacy Policy. Your Privacy Policy should be clear and written in language free of legal or technical jargon. Links to your Privacy Policy should be included in prominent locations on your website, such as your footer, check-out form, opt-in form, or on your app's platform.

At a minimum, your CDPA-compliant Privacy Policy should have clauses that explain the following:

• How you collect personal information and what type
• Why you collect the data
• How you use and process personal information
• What kinds of information you share with third parties
• What types of third parties you share data with
• How consumers can exercise their rights
• How to contact you

Finally, you should keep your Privacy Policy as up-to-date as possible. Clearly, showing the date your Privacy Policy was last updated is considered a best practice.

Download Sample CDPA Privacy Policy Template

Generate a Privacy Policy in just a few minutes

Our Sample CDPA Privacy Policy Template will be made available soon.

More Privacy Policy Templates

More specific Privacy Templates are available over our blog.

Sample Privacy Policy Template	A Privacy Policy for all sorts of businesses.
App Privacy Policy Template	A Privacy Policy for mobile apps published on Apple App Store or Google Play Store.
GDPR Privacy Policy Template	A Privacy Policy for businesses that need to comply with GDPR.
CCPA Privacy Policy Template	A Privacy Policy for businesses that need to comply with CCPA.
California Privacy Policy Template	A Privacy Policy for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA).