VCDPA’s Continued Development
Since taking effect in 2023, the Virginia legislature has continued to amend the Virginia Consumer Data Protection Act (“VCDPA”).
In 2024, HB707/SB361 passed, requiring parental consent before controllers can collect or process a known child’s personal or geolocation data. Additional purpose limitations to such collection or processing were added.
In 2025, SB854 seek to limit social media to one hour per day for anyone younger than 16 years old:
Requires that any controller or processor that operates a social media platform shall (i) use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor younger than 16 years of age and (ii) limit any such minor’s use of such social media platform to one hour per day, per service or application, and allow a parent to give verifiable parental consent to increase or decrease the daily time limit.
The effective date of this bill is January 1, 2026.
These developments layer on top of federal legislation under consideration and the FTC’s continued uptick in enforcement actions, particularly related to children’s privacy and vendor management. For example, this recent FTC settlement with a toymaker highlights the risks associated with a third party’s software development kit (“SDK”). Thoughtful privacy policies, along with proper vendor management continue to be key themes for businesses to proactively address.
VCDPA Refresher
The Virginia Consumer Data Protection Act (VCDPA) is Virginia’s comprehensive data privacy law. The VCDPA took effect on January 1, 2023, and it continues to evolve with multiple bills and amendments updating its provisions.
The VCDPA provides data protection rights for Virginia residents, while imposing affirmative duties on Virginia businesses related to the collection and use of consumer data.
Virginia Consumer Data Protection Act. Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising.
The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort.
Find more information in this Virginia Office of the Attorney General (OAG) informational recap.
With the emerging focus on data protection and privacy–and in light of the numerous regulatory frameworks that could apply to a Virginia-based company–businesses should act now to create a compliant framework. The VCDPA will likely apply to companies that interact with Virginia residents, or process the personal data of Virginia residents on a larger scale. The VCDPA does not define “conducting business in Virginia,” but economic activity that triggers tax liability or personal jurisdiction in Virginia may be a good test for whether the VCDPA applies to your business.
In addition to the internal business requirements, the VCDPA imposes vendor risk management obligations. This includes express contract protections related to a vendor’s data processing of a company’s information. With the proliferation of cloud-based service and storage solutions, this requirement is increasingly relevant both as a matter of legal compliance and as a matter of secure business operations.
Virginia’s Pre-Existing Data Protection and Privacy Framework
Virginia had pre-existing Data Protection and Privacy rules in VA Code § 18.2-186.6. The statute requires an individual or entity that owns, maintains, or possesses personal identifying information of Virginia residents, who has a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, to report the unauthorized breach to the Office of the Virginia Attorney General (OAG) and to provide notification to each affected Virginia resident.
In short, if your Virginia business possesses “personal identifying information”–such as social security numbers, credit card numbers, passport numbers, dates of birth, etc.–and you believe that a third party has accessed or taken this information without permission, then you have a data breach. Once you suspect a data breach, then there are numerous steps that you must take to comply with the statute.
The statute prescribes specific requirements for the notification to the OAG and to the individuals affected. In addition to any civil action for actual damages and other regulatory sanctions, the OAG may bring a civil action that carries a fine of up to $150,000 per breach.
The nuances of covered entities, covered data, and the notification requirements can be complex. Preventative maintenance and a thoughtful approach to your entity’s handling of privacy data is essential to any Virginia business. Read more here about a thoughtful and preventative approach to handling data and your business’s IT risks.
If your Virginia entity believes that a data breach has occurred, your entity should immediately consult with experienced IT professionals and with our office to discuss the applicable requirements to act immediately.
There are separate statutes applicable to the disclosure of private health information by state and local entities. Likewise, HIPPA and other federal prescriptions apply to covered health information.
