CDPA Incident Response Guidelines

What you need to know to prepare your organization for Virginia’s new privacy regulation

Virginia Consumer Data Protection Act (CDPA)

The Consumer Data Protection Act (CDPA) is Virginia’s comprehensive privacy legislation that will go into effect in 2023, giving Virginia residents the right to understand what data businesses have collected about them, ask that data be deleted, and opt out of having that data sold, among other new rights. CDPA is more business-friendly than other privacy regulations, but it’s still important to understand exactly what’s required for organizations and prepare accordingly.

Automate CCPA & CPRA obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who Must Follow CDPA Guidelines

Any qualifying business that might process personal data of Virginia residents, regardless of where that organization is located, is subject to CDPA. The Virginia law only applies to businesses that either:

  • Control or process personal data of more than 100,000 Virginia consumers in a calendar year
  • Control or process personal data of more than 25,000 Virginia consumers and at least 50% of their gross revenue comes from selling personal data

CPDA also grants several exceptions, as it does not apply to:

  • Employee data
  • Some instances of selling data (where information delivers a product/service requested by the consumer or uses publicly available data)
  • Businesses subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA)

What data does CDPA cover?

CDPA gives consumers the right to access data collected about them, correct errors in that data, request that data be deleted, obtain a copy of that data, opt out of their data being sold, and appeal any failure to respond to those requests.

How does CDPA get enforced?

The Virginia Attorney General will enforce CDPA. Violating organizations will receive a notice. They will then have 30 days to remedy the situation and respond with a written statement that the issue was fixed and won’t reoccur.

Why comply with CDPA?

CDPA violations (and a failure to fix them within the 30 day remediation window) can lead to a fine of up to $7,500 per violation. These fines will fund future enforcements, creating a unique incentive to issue them.

CDPA requires companies to introduce “reasonable administrative, technical, and physical data security practices” and data protection assessments for processing activities. It’s up to each organization to determine exactly what this means, and they will have to defend their practices if a violation occurs.

What Incident Response Looks Like Under CDPA

CDPA does not actually provide any guidance for notifying affected individuals or agencies when a privacy incident occurs. Instead, the response requirements come from different, older state laws, which outline the following incident response requirements:

Who to Notify

Organizations must notify any affected individual and the state Attorney General if any kind of privacy incident occurs. Additional notification requirements include:

Unique Circumstance

Who Additionally to Notify

If more than 1,000 individuals are affected:All consumer reporting agencies that maintain files of individuals nationwide about the timing, distribution, and content of the notice
If medical information is involved:The subject of that information, any affected residents (if they are not the same person), and the Commissioner of Health
If the organization doesn’t own the data (e.g. they are a processor):The owner (also known as the controller) of that data

When to Issue the Notification

Organizations must issue a notification “without unreasonable delay.” 

CDPA does allow organizations to “reasonably” delay this notice to spend time evaluating the scope of the incident and restoring integrity to affected systems. However, the burden falls on organizations to determine what is “reasonable.”

How to Issue a Privacy Incident Notification

Organizations must issue a privacy incident notification to each affected individual in the mail, on the telephone, or electronically. In any format, the notice should describe:

  • The general incident
  • The type of information involved
  • What actions the organization is taking to protect the information from future incidents
  • A phone number the affected individual can use to get more information or assistance, if one exists
  • Advice that affected individuals stay vigilant, for example by regularly monitoring account statements and credit reports

Organizations can issue a substitute notice if the cost of the notice exceeds $50,000, if more than 100,000 Virginia residents are affected, or if the organization doesn’t have sufficient contact information to notify each individual. This substitute notice must include all of the following:

  • Emails to any affected individuals for which the organization has that type of contact information
  • A conspicuous notice posted on the organization’s website (assuming it has a website)
  • Notice to major statewide media

Organizations can maintain their own notification procedures for Virginia residents as long as they comply with the timing requirements of “without unreasonable delay.”

3 Types of Events That Create a Privacy Incident Under CDPA

A variety of events, including data breaches and company errors, can lead to incident response situations under CCPA and CPRA. A few of the most common include:

Phishing malware or trojan

Phishing Attack

An employee falling victim to a phishing attack in which they mistakenly expose data (i.e. passwords that grant access to company data) gives third parties access to any type of information, therefore creating an incident.


Improperly Shared Data

Improperly sharing data, whether that’s sharing data after consumers opt out, sharing sensitive data over unencrypted channels, or mistakenly responding to a consumer’s request with the wrong data, violates CDPA.

Nation-state Attack

Nation-State Attack

A nation-state attack is a cyber attack backed by a country’s government to gain access to intellectual property or other sensitive data. These attacks expose consumers’ private information, putting them at risk.

Why CDPA Makes Proactive Incident Response Critical

Virginia’s CDPA is one of the newest examples of comprehensive privacy legislation, and it certainly won’t be the last. The combination of CDPA’s requirements for a quick response and the fact that privacy incidents are now more a matter of “if” then “when,” organizations must be prepared to spring into action when something does occur.

Understanding what’s required by laws like CDPA, establishing a plan to respond accordingly, and maintaining that plan as requirements change is absolutely critical. This preparation can help organizations quickly and confidently jump into incident or breach response mode, which can lead to a faster recovery and reduce the overall impact of the incident.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.