Legal Blog

New Privacy Law May Affect Your Online Presence: Three Things To Know

Close padlock key on modern white keyboard with wooden table on background, dim light dark tone.Does your business or organization rely on consumer data? If so, then Virginia’s Consumer Data Protection Act (the “Act”) should likely be on your radar. While passed in 2021, it only became effective January 1, 2023, making Virginia the second state in the union to “crack down” on the use of sensitive information. Here are three takeaways:

  1. Businesses should identify how much personal data they utilize to determine whether they fall under the Act. The Act defines covered businesses to include those that use (i) the personal data of at least 100,000 consumers in a calendar year or (ii) the personal data of at least 25,000 consumers while deriving over 50 percent of gross revenue from the sale of that data. This definition is profit-based and, therefore, may apply to smaller businesses that heavily work in the data sphere (or larger businesses with significant overlap between online/brick-and-mortar presence).
  2. Exemptions apply. The Act provides ample exemptions, including government entities, nonprofits, higher education institutions, and businesses that operate under the Health Insurance Portability and Accountability Act (HIPAA).
  3. Compliance means choice and control. Much like the privacy laws in California and the European Union, the Act is focused on providing consumers with transparency and choice regarding the use of their personal data. Therefore, covered businesses must provide online users with the right to “opt-out” of the use of their personal data for profit and the right to delete data gathered by a business, among other choices. Businesses must also develop security practices and regularly assess its use of data protection (duration/specifics on assessment is undefined). Complying with the Act, therefore, means that organizations should develop a comprehensive privacy plan with several “options” to limit exposure (one penalty can cost a business $7,500). The Virginia Attorney General’s Office is responsible for enforcement of the Act – and will apply a 30-day “right to cure” any related violations before a fine is assessed.

Reach out to me to discuss the Act and its potential applicability to your organization.

Contact me at or 703.745.1849


Theodora Stringham assists individuals, businesses, and organizations with growing successfully while minimizing liability. Focusing on real estate and personnel needs, Ms. Stringham executes sustainable plans for real estate development and employee matters. She provides comprehensive representation for everyday growth issues, including, but not limited to, re-zonings, site plan approvals, eminent domain/valuation concerns, employment discrimination, and disciplinary issues. Ms. Stringham’s scope of representation ranges from identifying potential liability and providing counseling/trainings, all the way through representation at trial.






Offit Kurman, one of the fastest-growing, full-service law firms in the United States, serves dynamic businesses, individuals and families. With 19 offices and more than 280 lawyers who counsel clients across more than 30 areas of practice, Offit Kurman helps maximize and protect business value and personal wealth by providing innovative and entrepreneurial counsel that focuses on clients’ business objectives, interests and goals. The firm is distinguished by the quality, breadth and global reach of its legal services and a unique operational structure that encourages a culture of collaboration. For more information, visit