Virginia Consumer Data Protection Act
The VCDPA is Virginia's comprehensive privacy law, the second in the US, granting consumers access, deletion, and opt-out rights and requiring controllers to run data protection assessments. It is enforced solely by the Virginia Attorney General.
The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive state privacy law and the second such law enacted in the United States after California. It was signed in March 2021 and took effect on January 1, 2023. The VCDPA borrows concepts from both the GDPR and the CCPA, using controller and processor roles like the GDPR and consumer rights similar to California law.
The law is enforced exclusively by the Virginia Attorney General. There is no private right of action. The VCDPA has become a model for several other state laws because of its business-friendly, opt-out-based design.
Who It Applies To
The VCDPA applies to entities that conduct business in Virginia or target products and services to Virginia residents and that, in a calendar year, either control or process the personal data of at least 100,000 consumers, or control or process the personal data of at least 25,000 consumers while deriving over 50 percent of gross revenue from the sale of personal data. It protects consumers acting in an individual or household context, not in a commercial or employment context. Many entities and data types covered by HIPAA, GLBA, and similar laws are exempt.
Key Requirements
Consumers have the rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Controllers must respond within 45 days. Processing of sensitive data, including data revealing race, religion, health, sexual orientation, citizenship, genetic or biometric data, precise geolocation, and data from known children, requires opt-in consent. Controllers must provide a clear privacy notice, limit collection to what is adequate and relevant, and establish data processing agreements with processors. Data protection assessments are required for processing that presents heightened risk, such as targeted advertising, sale of data, certain profiling, and processing of sensitive data.
Penalties for Non-Compliance
The Virginia Attorney General can seek injunctive relief and civil penalties of up to USD 7,500 per violation. There is a 30-day cure period during which a controller may fix an alleged violation before enforcement.
How to Comply
Determine whether you meet the consumer thresholds. Publish a privacy notice describing data categories, purposes, sharing, and consumer rights. Build channels to handle access, correction, deletion, portability, and opt-out requests within 45 days, with an appeal process. Obtain opt-in consent before processing sensitive data and verify age for children's data. Sign data processing agreements with processors. Conduct and document data protection assessments for high-risk processing.