Last updated on 20 May 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
If your company will be collecting personal information from the residents of Virginia who register for your services online or visit your website, then you are required to comply with the terms of the state's Consumer Data Protection Act (CDPA).
The CDPA will become effective on January 1, 2023.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
CDPA (Virginia Consumer Data Protection Act) is a privacy legislation that applies to anyone that does business in the Commonwealth of Virginia.
What this means for you is that you will need to review your website's Privacy Policy and, if necessary, update it to meet the demands of the CDPA.
If you don't have a Privacy Policy, you better get one written post haste. Having a Privacy Policy posted publicly with data protection and privacy terms are just about the most significant part of compliance with Virginia's new law.
Whether you need to write a Privacy Policy from scratch or are worried about what needs to be updated, we've got you covered. To ensure that you have a CDPA-compliant Privacy Policy, let's dive into what you need to do before 2023 arrives.
Virginia's CDPA brings the United States a giant leap forward toward the same kind of rigid privacy and data security laws found in the European Union. Some have also compared the CDPA to California's Consumer Privacy Act (CCPA), which, until the CDPA passed, was the most stringent data privacy law in the United States.
However, the CDPA surpasses the CCPA in its imposition upon companies of security and assessment requirements.
The CDPA applies to anyone that does business in the Commonwealth of Virginia. It also applies to those who provide services or who produce products targeted to the state's residents.
Additionally, the CDPA applies to you if your company:
The law's definition of consumer is "a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context."
According to the CDPA, the definition for "Personal Data" is "any information that is linked or reasonably linkable to an identified or identifiable natural person." Exceptions to this definition include:
The CDPA outlines what kinds of personal information are considered private and which you must protect. These are:
Under the CDPA, "consent" is "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." You are required to acquire the explicit consent of Virginia residents before processing any of their personal information.
If you fail to maintain a CDPA-compliant Privacy Policy, you could end up facing a fine of up to $7,500 per violation. Many will consider that a pretty hefty price tag for a violation. However, business owners need to consider that the company may also have to pay "reasonable expenses" incurred while preparing and investigating the case in addition to the fine.
Reasonable expenses may also include attorney's fees.
You may find answers to the list of the following questions useful.
If you do business in the Commonwealth of Virginia, then yes.
You must provide a Privacy Policy that discloses information such as:
To update your existing Privacy Policy for CDPA-compliance, first remember that it must be "reasonably accessible, clear, and meaningful."
Lawmakers weren't super clear about what that actually means. However, if you use the CCPA as a model (whose legislators were more conscientious in providing businesses with clear definitions and instructions), then in addition to ensuring the information mentioned above is included, you'll want to:
If your Privacy Policy doesn't include a means of recording that a consumer has read and agreed to its contents, then it won't be considered an agreement. If it isn't an agreement between you and your website's visitors, it's simply a notice and not something you can enforce.
To ensure that your Privacy Policy can be used as a successful delimiter of rights or disclaimer, you'll want to include a button next to text that states, "I have read and agree to the terms of the Privacy Policy." The button should say "I Agree."
You can alternatively use an unticked checkbox next to a statement like that mentioned above. To advance, users would have to tick the checkbox to affirm that statement.
In essence, to create a Privacy Policy that's as airtight as possible, you'll want to ensure that:
Before you begin writing your Privacy Policy, you'll also want to conduct a self-audit of your privacy and data protection practices. That way, you'll better know what specific information you need to disclose.
Your Privacy Policy needs to have as one of its main sections the type of data your company collects. As noted previously, you need to be transparent about the categories of information that you collect.
For example, Dollar Tree lists an incredibly long list of personal data categories it collects from customers and the specific types of data it collects:
While the screenshot above provides a quick snapshot of how the company lays out its data collection practices in its Privacy Policy, pay attention to how thorough and comprehensive the company is with disclosing its data collection practices.
A context and specific types of data are given for each instance where information is collected:
- Account Registration: We collect your name, contact information, and password information when you create an account. We also collect information relating to the actions that you perform while logged into your account.
- Client Information: We collect the name and contact information of our clients and their employees with whom we may interact.
- Cookies and First Party Tracking: We use cookies and clear GIFs. "Cookies" are small pieces of information that a website sends to a computer's hard drive while a website is viewed.
- Cookies and Third-Party Tracking: We participate in behavior-based advertising, which means that a third party uses technology (e.g., a cookie) to collect information about your use of our website so that they can provide advertising about products and services tailored to your interests on our website, or on other websites.
- Coupons/Loyalty Program Information: We may collect your telephone number, email address, name and other contact information, birthday, gender, location information, personal preferences, and password information to administer loyalty and coupon programs.
Dollar Tree goes on to list other categories for which personal information is collected. These include:
The next section you should include is how you use and process personal information. A Virginia-based company that lays everything out on the table is DXC.technology. Like Dollar Tree, it goes into explicit detail as to how consumer information is both used and processed.
Just one example is how the company uses data to fulfill transaction requests:
A few other ways DXC uses and processes consumer data is to:
Every company that collects personal information from its customers should specify the information they share with third parties as well as what category of third parties it shares data with.
Here's how General Dynamics discloses this information:
Make sure you include a section that details how consumers can exercise their rights under the CDPA.
Northrop Grumman provides the information consumers need, but they certainly aren't as simple and easy to understand in their language as perhaps they should be:
Your customers should always know how to contact you to discuss the information you collect on them or your Privacy Policy in general. All you need here is a simple contact clause. Keep in mind that the more ways you give customers to contact you, the better.
General Dynamics provides a super simple, brief statement about how customers can contact the company regarding its Privacy Policy and other matters:
The CDPA sets out some of the most comprehensive requirements for companies that do business in the Commonwealth of Virginia. Similar in many ways to California's CCPA, the CDPA lays out rules for the privacy and protection of the personal information of Virginia residents.
One of the major requirements of the law is a Privacy Policy. Your Privacy Policy should be clear and written in language free of legal or technical jargon. Links to your Privacy Policy should be included in prominent locations on your website, such as your footer, check-out form, opt-in form, or on your app's platform.
At a minimum, your CDPA-compliant Privacy Policy should have clauses that explain the following:
Finally, you should keep your Privacy Policy as up-to-date as possible. Clearly, showing the date your Privacy Policy was last updated is considered a best practice.
Generate a Privacy Policy in just a few minutes
Our Sample CDPA Privacy Policy Template will be made available soon.
More specific Privacy Templates are available over our blog.
Sample Privacy Policy Template | A Privacy Policy for all sorts of businesses. |
Sample Mobile App Privacy Policy Template | A Privacy Policy for mobile apps on Apple App Store or Google Play Store. |
Sample GDPR Privacy Policy Template | A Privacy Policy for businesses that need to comply with GDPR. |
Sample CCPA Privacy Policy Template | A Privacy Policy for businesses that need to comply with CCPA. |
Sample California Privacy Policy Template | A Privacy Policy for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA). |
Sample PIPEDA Privacy Policy Template | A Privacy Policy for businesses that need to comply with Canada's PIPEDA. |
Sample Ecommerce Privacy Policy Template | A Privacy Policy for ecommerce businesses. |
Small Business Privacy Policy Template | A Privacy Policy for small businesses. |
Privacy Policy for Google Analytics (Sample) | A Privacy Policy for businesses that use Google Analytics. |
Sample CalOPPA Privacy Policy Template | A Privacy Policy for businesses that need to comply with California's CalOPPA. |
Sample SaaS Privacy Policy Template | A Privacy Policy for SaaS businesses. |
Sample COPPA Privacy Policy Template | A Privacy Policy for businesses that need to comply with California's COPPA. |
Sample CPRA Privacy Policy Template | A Privacy Policy for businesses that need to comply with California's CPRA. |
Blog Privacy Policy Sample | A Privacy Policy for blogs. |
Sample Email Marketing Privacy Policy Template | A Privacy Policy for businesses that use email marketing. |
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
20 May 2022