Name: Tsaaro Consulting
Address: Indiranagar Sub Post Office, 2nd Floor, 198,, Bengaluru, 560038, IN
Telephone: 07760923421
Price range: 00

What is the Consumer Data Protection Act passed by Virginia?

The CDPA draws its substance from existing Privacy Act and California Consumer Privacy Act.

Who does it apply to?

Entities which conduct business in Virginia or produce products or services that are targeted to Virginia residents. Which businesses fall under these criteria?
- Those which control or process the personal data of at least 100,000 consumers during a calendar year.
- Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.

How is CDPA different from CCPA?

No revenue threshold: even large businesses will not fall under its scope unless they meet the above criteria.
Threshold of data processed is higher: double the number of residents should be data subjects for CDPA to apply.
No time limits or formats regarding disclosures.
Consideration for sale of data must be in terms of money. Sale of data explicitly excludes:
- Disclosures to processors, third parties for a product or service, controller’s affiliates, information that consumers themselves made available to a mass audience, as a part of a M&A transaction.

CPRA v/s CDPA?

Employee data not included in CDPA: omits a person from the definition of a consumer where they are acting in a commercial or employment context.

What is the scope of personal data?

Excludes deidentified or publicly available data. These operate on two levels under the CDPA:
- Entity level exemptions:
  - Virginian authorities, political subdivision
  - Financial institutions
  - Entity/ business subject to Health Insurance Portability and Accountability Act.
  - A non profit organization
  - Higher education institution
- Data level exemptions: these are broadly of 14 types including information regulated under:
  - Fair Credit Reporting Act
  - Drivers Privacy Protection Act
  - Farm Credit Act
  - Family Educational Rights and Privacy Act

What are the rights of the consumers?

Right to access and confirm the processing of personal data
Right to correct inaccuracies in personal data
Right to delete personal data
Right to data portability and to transmit the data to another controller without hindrance
Right to opt out of the processing of personal data (like targeted Ads, sale of data). There is no exception in favour of the businesses in this right.
Right to appeal a business’s denial to act reasonably.

What are business’ obligations?

Limits on collection: adequate, relevant and reasonably necessary in relation to the purposes
Limits on use: to not process personal data for purposes that are not disclosed, unless the controller obtains the consumer’s consent
Technical safeguards: to maintain reasonable technical data security practices to protect the confidentiality, integrity, and accessibility of personal data
Data Protection Assessments: conduct and evaluate the risks associated with processing activities
Data processing agreements: must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
Privacy Policy: must state the following:
- Categories of personal data processed and/or shared with third parties
- Purpose of processing data
- Consumer’s rights and methods of appeal

How does the enforcement work?

No private right of action given: the enforcement largely depends on the attorney general.
The controller has 30 days to act upon the violation ad provide the AG with a written statement to that effect
- Failure to do so will attract a penalty of $7,500 per violation.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.

Cookie	Duration	Description
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.

Virginia Consumer Data Protection Act

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Tsaaro Pune Office

Tsaaro Noida Office

Tsaaro Bengaluru Office I

Tsaaro Bengaluru Office II

Call Our Experts:

+91 95577 22103

We’d love to help your organization achieve your Data Protection goals!