When did Virginia CDPA take effect and who must comply?

Virginia CDPA took effect January 1, 2023. It applies to controllers that conduct business in Virginia or produce products/services targeted to Virginia residents and meet one threshold: (a) process personal data of 100,000+ Virginia residents annually, or (b) process data of 25,000+ residents and derive 25%+ of gross revenue from selling personal data. Unlike California, there is no employee data carve-out from the outset.

What is the CDPA definition of 'profiling' and which AI systems qualify?

CDPA defines profiling as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects — economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. AI systems that score, rank, classify, or predict individual characteristics from personal data qualify as profiling. This covers credit underwriting models, hiring AI, insurance risk scoring, fraud detection, tenant screening, and health risk prediction.

When does the profiling opt-out apply vs. when is AI processing exempt?

The opt-out right applies only when profiling produces legal or similarly significant effects — denial of credit, employment, housing, insurance, or access to services. General product recommendations, internal analytics not affecting individual consumers, and behavioral advertising (covered by a separate opt-out right) do not trigger the profiling opt-out. Fraud detection that leads to account suspension or restriction likely qualifies as a significant effect.

Are Data Protection Assessments required before every AI deployment?

No — only for processing presenting heightened risk. CDPA requires DPAs for: profiling for significant decisions, processing sensitive data, sale of personal data, and targeted advertising. A general-purpose chatbot with no profiling or sensitive data processing does not require a DPA. However, any AI system that scores consumers for credit, employment, or health decisions requires a DPA before deployment.

Does Virginia CDPA provide a private right of action?

No. Virginia AG has exclusive enforcement authority under § 59.1-584. The AG must give 30 days' notice and an opportunity to cure before filing civil action. Civil penalties are up to $7,500 per violation. Consumers cannot sue under CDPA directly. However, CDPA violations can serve as a basis for negligence claims in Virginia courts, and parallel FTC Section 5 enforcement may apply for undisclosed AI profiling.

How does Virginia CDPA compare to CCPA for AI compliance teams?

Virginia CDPA requires Data Protection Assessments (CCPA/CPRA does not explicitly). Virginia has no private right of action (CCPA allows data breach suits). Both require opt-out of targeted advertising and profiling for significant decisions. CDPA has a 30-day cure period; CCPA's cure period sunset in 2023. CDPA penalties are $7,500 per violation; CPRA penalties are $7,500 per intentional violation of children's data. AI teams serving both markets must build a unified DPA and opt-out framework that satisfies both frameworks.

How does Tenet AI help with Virginia CDPA compliance for AI systems?

Tenet AI generates an immutable decision record for every consequential AI inference — inputs used, model version, output, timestamp, and any human override. This record directly supports CDPA access requests (what data was processed), deletion compliance (which records to purge), and DPA documentation (how safeguards operated at decision time). Decision logs are queryable by consumer ID within the 45-day response window required by CDPA.

Virginia CDPA and AI: Consumer Rights, Profiling Opt-Out, and Data Protection Assessments

Q: What sensitive data under CDPA requires opt-in consent for AI processing?

Virginia CDPA sensitive data requiring opt-in (not just opt-out): racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation or gender identity, immigration/citizenship status, genetic data, biometric data processed to uniquely identify a person, and personal data of known children. Consent must be explicit, informed, and separate from general terms of service. Facial recognition, clinical AI, and behavioral inference AI are most commonly implicated.

Virginia Consumer Data Protection Act (CDPA), effective January 1, 2023, was the second comprehensive US state privacy law. CDPA grants consumers five rights including the right to opt out of profiling used for significant decisions — covering AI systems that make or influence credit, employment, housing, and insurance decisions. Data Protection Assessments are required before any high-risk processing. Virginia AG has exclusive enforcement with civil penalties up to $7,500 per violation. There is no private right of action. CDPA applies to controllers processing data of 100,000+ Virginia residents or 25,000+ with 25%+ revenue from data sales.

Five Consumer Rights Under CDPA That Apply to AI Systems

CDPA § 59.1-578 grants five rights: access (confirm and obtain a copy of personal data), correct (fix inaccuracies), delete (remove personal data), portability (obtain a machine-readable copy), and opt out of profiling used for significant decisions. The opt-out right is the key AI trigger — it applies when automated processing produces legal or similarly significant effects including denial of credit, employment, housing, or insurance. Controllers must respond within 45 days and provide a 60-day appeal process. For AI systems, these rights must be technically implemented at the data layer — not just as UI-level disclosures.

What Triggers the Profiling Opt-Out for AI Systems

CDPA defines "profiling" as automated processing of personal data to evaluate, analyze, or predict personal aspects — economic situation, health, preferences, interests, reliability, behavior, or location. The opt-out right applies only when profiling produces "legal or similarly significant effects." This covers: credit scoring and loan underwriting AI, hiring and resume screening AI, insurance risk scoring, tenant screening, medical triage and health risk prediction AI, and fraud detection that leads to account suspension. It does not cover product recommendations, behavioral advertising (covered by a separate opt-out right), or internal analytics that do not result in decisions about individual consumers.

Data Protection Assessments: Required Before Deploying High-Risk AI

CDPA § 59.1-580 requires DPAs before processing that presents a heightened risk: profiling for significant decisions, processing sensitive data, sale of personal data, and targeted advertising. A CDPA DPA must document the purpose and necessity of processing, the controller's legitimate interests, the potential impact on consumer rights, and the safeguards implemented. DPAs must be made available to the Virginia AG on request. The DPA requirement creates a pre-deployment gate for AI systems — you cannot deploy a new credit scoring model or health AI without completing a DPA first.

Sensitive Data Under CDPA: Opt-In Required for AI

CDPA sensitive data (requiring opt-in consent, not just opt-out): racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation or gender identity, immigration or citizenship status, genetic data, biometric data processed to uniquely identify a person, and personal data of known children. AI systems that process sensitive data as features, inputs, or outputs require affirmative consent before processing. Facial recognition systems, health AI, and clinical decision support tools are directly in scope. Consent must be separate from general terms of service and stored with timestamp and consent version.

Virginia AG Enforcement: $7,500 Per Violation, 30-Day Cure

Virginia AG has exclusive CDPA enforcement authority. The AG must provide 30 days' notice and opportunity to cure before filing civil action. Civil penalties are up to $7,500 per violation. "Cure" requires not just correcting the specific violation but demonstrating ongoing compliance going forward. There is no private right of action — consumers cannot sue under CDPA directly. However, CDPA violations can support negligence and breach of contract claims in Virginia courts, and FTC Section 5 enforcement can run parallel to CDPA violations for AI systems that fail to disclose profiling in their privacy notices.