Virginia has joined California in passing consumer privacy legislation with broad national reach. Effective January 23, 2023, the Virginia Consumer Data Protection Act (Virginia CDPA) and the California Privacy Rights Act (CPRA) significantly overlap regarding compliance obligations, however, there are some factors that set the Virginia CDPA apart. The recently passed California Consumer Privacy Act (CCPA) currently applies to entities that do business in California that have $25 million in annual gross revenue, annually handle the personal information of 50,000 or more consumers, households, or devices and derive 50 percent or more of their annual revenues from selling personal information. The CPRA applies to entities that do business in California and have $25 million in annual gross revenue, annually handle the personal information of 100,000 or more consumers, and derive 50% or more of their annual revenues from selling or sharing personal information. Finally, the Virginia CDPA applies to all entities that “conduct business” in Virginia or “produce products or services that are targeted to residents” of Virginia and meet either of the following conditions: 1. Control or process personal data or at least 100,000 consumers or 2. Control the data of at least 25,000 consumers and derive over 50% or more of their gross revenue from selling personal data. Virginia’s legislation does not include a blanket revenue threshold.
