Sample Virginia CDPA Privacy Policy Template

Sample Virginia CDPA Privacy Policy Template

Virginia's Consumer Data Protection Act (CDPA) requires many businesses, both inside and outside the state, to follow strict privacy rules. These rules include specific requirements for displaying a Privacy Policy.

In this article, we'll break down what you need to know and what to do to make sure you comply with the Privacy Policy requirements of the CDPA.


Does the CDPA Affect Your Business?

The CDPA has passed into law and its measures will take effect from 1 January 2023. The delayed implementation is partly to make sure affected businesses have no excuse for failing to comply from this date. The scope of the law is based on one key threshold but has several exemptions.

Virginia Consumer Data

The main threshold for having to comply with the CDPA is that you are a data controller responsible for the processing of personal data of more than 100,000 Virginia consumers each year. This threshold reduces to 25,000 if you make more than half of your gross revenue from selling personal data.

Being a data controller means you make the decisions about what data to process and how. If you are merely a data processor working on behalf of a data controller and following their instructions, you are not directly responsible for complying with the CDPA. However, you must have a data processing agreement with the data controller that covers how you will help them comply.

Note that the CDPA and its eligibility threshold only cover consumer data. It doesn't cover data from business-to-business relationships or data about your staff in an employment context.

Targeting Consumers

The CDPA only applies to businesses that "target" Virginia consumers, regardless of the business's location. This means you wouldn't be covered simply because you had a website that, by the nature of the internet, is inherently available to view in Virginia.

On the other hand, "target" doesn't mean you aim your business solely or as a specific priority towards consumers in Virginia. It simply means they are among your intended customer base.

In practice, the 100,000 Virginia consumer threshold means the issue of targeting will rarely be the deciding factor in whether a business must comply with the CDPA.

Are you Exempt From the CDPA?

You are exempt from the CDPA if you are already covered by a federal privacy law, even if you meet the threshold to comply. Examples include HIPAA for health data and the Gramm-Leach-Bliley Act for financial institutions.

If you are covered by one of these laws, you are completely exempt from the CDPA. This differs from the California Consumer Privacy Act where the equivalent exemption is limited to specific types of data.

Why Do I Need a Privacy Policy Under the CDPA?

Why Do I Need a Privacy Policy Under the CDPA?

The CDPA has two main sets of measures. One is a set of enforceable privacy rights for consumers. The other is a set of legal responsibilities for data controllers. One of these responsibilities is to "provide consumers with a reasonably accessible, clear, and meaningful privacy notice": in other words, Privacy Policy.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

If you fail to comply with the responsibilities of the CDPA, including the Privacy Policy requirement, the state's Attorney General can order you to correct this failure. If you fail to do so within 30 days, the Attorney General can fine you up to $7,500 for each violation. This could mount up as in theory each person who complained their privacy rights were breached because they couldn't access a Privacy Policy could count as a separate violation.

Preparing a Privacy Policy now will also save you time as other states adopt their own data privacy laws.

What Must I Include in my CDPA Privacy Policy?

What Must I Include in my CDPA Privacy Policy?

The CDPA sets out specific information that you must include in your Privacy Policy. We've listed the specific wording of the CDPA in the sub-headings below and then explained the requirements in more detail.

"The Categories of Personal Data Processed by the Controller"

Unlike California's CCPA, the CDPA does not specify the categories you use when breaking down the data you collect.

The CDPA does say your Privacy Policy needs to be "meaningful," so somebody reading it should be able to tell whether a particular piece of information is likely to fall into the categories you have listed as processing. You could give a list of examples for each category, though make clear this list is not exhaustive.

If you are already affected by the CCPA, you may find it simpler to reuse the same categories that the CCPA requires for a Privacy Policy.

The Claridges Privacy Policy goes a step beyond the CDPA's requirements by detailing specific uses of data rather than just processing:

Claridges CCPA Privacy Notice: Excerpt of chart of categories of personal information collected

This is a very good format for displaying information to users in a way that's easy to understand and well-organized.

"The Purpose for Processing Personal Data"

This means telling customers why you will collect or use their data. Unlike some laws, such as Europe's GDPR, the CDPA doesn't limit the purposes for which you can use data, as long as you list them.

Being complete and accurate here is important. Under the CDPA you don't need prior consent to collect or use data as long as you have informed the consumer about that processing. However, you do need consent to process the data for any other purpose, either immediately or later on.

The Stockholm International Water Institute gives clear explanations of its purposes for processing data in specific circumstances:

Stockholm International Water Institute: Processing Personal Data - Register for events clause

"How Consumers May Exercise Their Consumer Rights [Under the CDPA] Including How a Consumer May Appeal a Controller's Decision With Regard to the Consumer's Request"

Although the legislation doesn't literally say you must list the consumer rights in your Privacy Policy, you need to do so to make your policy meaningful. The rights are as follows:

  • To know whether you process data about the consumer and, if so, to access it
  • To correct any inaccuracies in the data
  • To delete the data. (The CDPA doesn't set out any limits on this right, though these could be established in later guidance or rulings.)
  • To get a copy of the data in a "portable" and "readily usable" format, where available, so the consumer can transfer it to another controller
  • To opt out of their data being used for targeted advertising, being sold, or being used for profiling in a way that produces "legal or similarly significant effects"

Means of Communication

You must tell users how they can exercise these rights, for example what means they can use to contact you and what details they need to provide. You must offer at least one method that is "secure and reliable."

The CDPA doesn't specify the acceptable ways to exercise the rights but does say it should take into account how people normally interact with you. For example, if you have a customer support phone line or email address, it likely wouldn't be reasonable to say consumers can only exercise their CDPA rights by mail.

You can (and should) have a process for verifying a consumer's identity before providing any personal data in response to an access request.

Refinitiv provides a clear link to exercise data privacy rights and explains the verification process:

Refinitiv: How to find out if listed on World-Check section - Submit a data subject access request link highlighted

Timescale, Costs and Appeals

If you cannot or will not meet a consumer's request to exercise their CDPA rights, they have the right to appeal your decision. Your Privacy Policy must set out how they can do this.

It makes sense to also list the timescales set out by the CDPA, which are as follows:

  • Normally you must respond to an initial request within 45 days. Despite this deadline, you must respond "without undue delay."
  • If you can't meet this deadline, you must inform the consumer within the original 45 days. You can then extend the deadline by a further 45 days.
  • If you refuse to meet the request, the consumer can appeal your refusal. You must have a "conspicuous" process for them to do so. You then have 60 days to respond to the appeal. If you refuse the appeal, you must tell the consumer how to contact the state Attorney General to complain.

You cannot charge a fee for handling the first two requests a consumer makes in a year. For further requests you can only charge if you consider the request to be "manifestly unfounded, excessive or repetitive." Even if you do charge, the fee must be reasonable and only cover your administrative costs.

"The Categories of Personal Data that the Controller Shares With Third Parties, if Any"

While the CDPA doesn't specify that you do this, it will usually make sense to list this information using the same categories that you used to list the data you process. This will make it easier for consumers to be confident in understanding whether a particular piece of data that you process will be shared. This helps you comply with the requirement to make your Privacy Policy meaningful.

To meet this requirement, you'll need to list any categories of data that you disclose, regardless of whether you receive a payment for it.

Snap uses clear categories and gives good examples and explanations:

Snap Privacy Policy: How we share information clause excerpt

"The Categories of Third Parties, if any, With Whom the Controller Shares Personal Data"

Again, this covers data that you disclose to a third party, regardless of whether you receive a payment for it.

The CDPA doesn't specify how you should categorize third parties. (This may be addressed in official guidance before the law's measures take effect.)

A good rule of thumb here is that even if your Privacy Policy doesn't list a specific recipient by name, the categories should be clear and useful enough that the consumer can reasonably work out if that recipient would be covered.

Our World In Data uses an effective mix of describing general categories of third parties and giving specific information about particular third-parties:

Our World In Data Privacy Policy: Sharing your data with third parties clause excerpt

Additional Information

The CPDA says you must "clearly and conspicuously" state when you sell personal data to third parties or use personal data for targeted advertising. You must also tell consumers how they can opt out of such processing.

In this context, "sell" only means exchanging the data for money. Disclosing it without payment or in return for services does not count.

Although the CDPA doesn't explicitly say you must include this information in your Privacy Policy, it will usually make sense to do so.

How and Where Should I Display my CDPA Privacy Policy?

How and Where Should I Display my CDPA Privacy Policy?

The CDPA does not give specific details of how to display your Privacy Policy but does say it must be "reasonably accessible, clear, and meaningful." This means you cannot hide the information away somewhere where it's difficult to find or access.

In most cases it makes sense to put your Privacy Policy on your website. You can also make it available in printed form if you know or believe you handle data from consumers who are unlikely to access your site.

One of the most standard places for displaying a Privacy Policy is in a website footer. Consumers know to look here, and it's readily accessible since the footer is static on every page of the website.

Here's an example of displaying a Privacy Policy in a website footer from Pocket Living:

Pocket Living website footer with Privacy Policy link highlighted

Because the CDPA does not require advance consent for processing (other than for data classed as sensitive), you do not have quite the same urgency to be absolutely certain a consumer has seen your Privacy Policy before providing data. However, it's your responsibility to show you've made reasonable efforts to make your policy readily available, thus making it meaningful.

Pocket Living uses a standard Privacy Policy but also offers specific information for people signing up to its newsletter, and displays the link to this information when it would matter most to people:

Pocket Living Newsletter sign-up form page with Privacy Policy links highlighted

Other common areas to display a Privacy Policy are on checkout screens of ecommerce websites, on account create or log-in screens, or anywhere where you are actively collecting personal information.

Summary

Let's recap what you need to know and do to comply with the CDPA's rules on Privacy Policies:

  • The CDPA applies if you handle the personal data of 100,000 Virginia consumers in a year. The threshold is 25,000 if at least 50% of your revenue comes from selling data.
  • The CDPA only covers personal data about consumers. It doesn't cover business-to-business or employer-employee contexts.
  • The main exclusion is that you are covered by a federal law regarding data privacy.
  • The CDPA explicitly requires you to have a "reasonably accessible, clear, and meaningful privacy notice."
  • Your privacy notice (Privacy Policy) must include:

    • The categories of data you process
    • The purposes for processing the data
    • How consumers can exercise their rights, which include:

      • To know what data your process about them and to access it
      • To correct inaccuracies
      • To delete data
      • To get a copy of data in a portable format
      • To opt out of you selling their data or using it for targeted advertising of profiling
    • How consumers can appeal against your decisions regarding exercising their rights
    • The categories of data you share and the categories of third parties you share it with
  • You must also say if you sell data to third parties or use it for targeted advertising and remind customers of their opt-out rights. The Privacy Policy is the best place to do this.
  • The CDPA doesn't detail how to display your Privacy Policy. Putting it on your website is normally the best way to make it "reasonably accessible."