As a retailer operating in the state of Virginia, you should be concerned about the new Consumer Data Protection Act (CDPA), which went into effect on January 1, 2023. This groundbreaking legislation gives Virginia residents new rights and protections when it comes to their personal data, and it requires businesses like yours to take steps to ensure that you are collecting, using, and disclosing personal data in a responsible and transparent manner.

What is the Consumer Data Protection Act?

The CDPA is a comprehensive privacy law that applies to certain businesses that collect, use, or disclose the personal data of Virginia residents. Under the CDPA, businesses are required to take a number of steps to protect personal data and ensure compliance with the law. This personal data includes consumers’ names, addresses, email addresses, phone numbers, payment information, and other sensitive information.

Businesses subject to CDPA are required to take certain steps to protect consumer personal data, which includes:

  • Establishing policies and procedures to protect personal data: Businesses must develop written policies and procedures that outline how they will collect, use, and disclose personal data. These policies and procedures must be consistent with the CDPA and must be available to employees and consumers.
  • Training employees on data privacy issues: Businesses must provide training to employees on data privacy issues and the requirements of the CDPA. This training should be tailored to the specific needs of the business and should be provided on an ongoing basis.
  • Implementing technical safeguards: Businesses must implement appropriate technical safeguards to prevent unauthorized access to personal data. These safeguards include: encryption, access controls, and other security measures to protect personal data from unauthorized access or disclosure.
  • Disclosing privacy practices: Businesses must disclose their privacy practices to consumers in a clear and concise manner. This includes providing information to consumers regarding how their personal data will be collected, used, and disclosed, as well as any third parties that may receive their personal data.

Does the CDPA apply to my business?

The CDPA applies to businesses that meet certain thresholds. Specifically, it applies to businesses that:

  • Have gross annual revenues in excess of $25 million;
  • Handle the personal data of at least 100,000 Virginia residents, households, or devices on an annual basis; or
  • Derive at least 50% of their gross annual revenues from selling personal data.

If your business processes personal data and meets one or more of these thresholds, you are required to comply with the CDPA. Failure to do so could result in fines and other penalties.

Under the CDPA, businesses are required to build and maintain a privacy program that meets certain standards.

Why is building a privacy program so critical?

Here are just a few reasons:

  1. Compliance: First and foremost, the CDPA requires it. If you don't have a privacy program in place, your business could be subject to fines and other penalties.
  2. Trust: Consumers are increasingly concerned about their privacy, and they want to know that their sensitive data is being handled responsibly. By building a privacy program, your business can demonstrate that you take consumers’ privacy seriously and that you are committed to protecting consumer's personal data.
  3. Reputation: Data breaches and other privacy incidents can damage your business's reputation and cause customers to lose trust in your brand. By implementing strong privacy and physical data security practices, you can reduce the risk of such incidents and protect your reputation.
  4. Competitive advantage: As more and more businesses adopt privacy programs, those that don't may find themselves at a competitive disadvantage. By building a privacy program, you can position your business as a leader in the industry and attract customers who value privacy.

Building a privacy program is critical for retailers, especially retailers serving customers in Virginia due to the new CDPA, which requires it to provide consumers new consumer rights and protections. When a company puts consumer request and their consumers privacy first, the brand becomes one synonymous with trust, reputation, and will gain a competitive advantage.

How can BD Emerson help you get there?

BD Emerson builds privacy programs and cybersecurity programs for clients in every business sector and understands what it takes to get your business in compliance with various privacy regulations. These programs and the controls implemented as a result will soon be required by your insurance providers as well. By taking steps to protect personal data and ensure compliance with the CDPA, you can safeguard your business and provide peace of mind to your customers. Please contact us at or

New Virginia Privacy Law: Is Your Retail Business in Compliance?

About the author



Managing Director


Drew spearheads BD Emerson's Governance, Risk, Compliance, and Security (GRC+Sec) division, where he channels his expertise into guiding clients through the labyrinth of Information Security, Risk Management, Regulatory Compliance, Data Governance, and Privacy. His stewardship is key in developing tailored programs that not only address the unique challenges faced by businesses but also foster a culture of security and compliance.


No items found.

All articles