In The News

Challenge Accepted: Initial Virginia CDPA Reactions, Considerations


04 Mar 2021

Kristen Mathews spoke to IAPP about the passage of Virginia’s Consumer Data Protection Act (CDPA).

According to Kristen, the glaring differences between the CDPA and existing privacy legislation start with the definition of “personal data,” which only relates to information identifiable to a natural person. Other provisions unique to Virginia’s law are the definition of and conditions for “deidentification” and a lack of exceptions on a data subject’s right to delete.

She added that another difference in the Virginia legislation is a data protection assessment, which will be new to some companies, while others will be familiar to a degree if they fall under the GDPR’s [General Data Protection Regulation] scope.

“They’re like the GDPR data protection impact assessments,” Kristen said. “Not everybody has to do them. You’re only having to do them with certain kinds of processing, but if you do them, they’ll be internal, potentially questionnaire-based assessments of what you’re doing against any risks that may be posed to consumers.”

Read the full article.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.