Virginia’s Consumer Data Protection Act
Virginia Consumer Data Protection Act (VCDPA) — Compliance Guidance for Virginia & Washington, D.C. Businesses
The Virginia Consumer Data Protection Act (VCDPA) is Virginia’s comprehensive data privacy law that addresses the processing of sensitive data. It took effect on January 1, 2023, and continues to expand through new bills and amendments. The VCDPA grants Virginia residents significant data protection rights and imposes meaningful obligations on businesses that collect, use, or share personal data.
For companies operating in Virginia or Washington, D.C., or for any business interacting with consumers, understanding and complying with the VCDPA is now essential. The VCDPA provides data protection rights for Virginia residents, while imposing affirmative duties on Virginia businesses related to the collection and use of consumer data.
Virginia Consumer Data Protection Act. Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of sensitive data governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising.
The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort.
Find more information in this Virginia Office of the Attorney General (OAG) regarding the rights of data subjects. informational recap.
Who Must Comply With the VCDPA?
The VCDPA applies to any person or business that conducts business in the Commonwealth of Virginia and either:
- Controls or processes the personal data of at least 100,000 consumers in a calendar year; or
- Derives 50% or more of gross revenue from the sale of personal data and processes or controls the personal data of at least 25,000 consumers.
The Act establishes clear responsibilities and privacy protection standards for data controllers and data processors. While the VCDPA does not apply to state or local government entities, it does include exemptions for certain categories of data governed by federal privacy laws such as HIPAA, GLBA, and FERPA.
Applicability and Exemptions
The Virginia Consumer Data Privacy Act does not apply to state or local governmental entities. It also includes exemptions for certain categories of data already regulated under federal law, including:
- Health data governed by HIPAA
- Financial information covered by GLBA
- Education records are protected by FERPA
- Employment and B2B data (with limited applicability)
Understanding these exemptions is critical when evaluating your organization’s compliance scope under the Virginia Consumer Data Protection Act regulations.
Consumer Rights Under the VCDPA
The Virginia Consumer Data Protection Act grants Virginia residents robust rights over their personal data. These include the right to data processing and the protection of personal data for purposes defined by law.
- Access personal data that a business holds
- Correct inaccuracies
- Delete personal data
- Obtain a portable copy of their data
- Opt out of:
- Targeted advertising
- The sale of personal data
- Automated profiling with legal or significant effects
Covered businesses must establish documented procedures to authenticate and respond to consumer requests within statutory timeframes.
Consent Standards and Exercising Consumer Rights
The Virginia Consumer Data Protection Act prioritizes consumer control over processing data. When sensitive information is involved, businesses must obtain consent through a clear affirmative act signifying a consumer’s freely given agreement, meaning an explicit and informed action disclosed to the consumer.
A consumer may exercise the right to access, correct, delete, or obtain personal data that the consumer previously provided and to opt out of data processing, including targeted advertising or profiling with significant effects concerning the consumer. Businesses must comply with an authenticated consumer request, provide a timely response to a consumer request, and process only data necessary to identify the consumer.
Enforcement and Penalties
Enforcement authority under the Consumer Data Protection Act in Virginia rests exclusively with the Virginia Office of the Attorney General (OAG). The law does not provide a private right of action.
To support enforcement, the statute creates the Consumer Privacy Fund, which finances investigations and enforcement activities. Failure to comply may result in substantial civil penalties, corrective action mandates, and reputational damage—particularly in industries where consumer trust is essential for the processing of personal data for targeted advertising.
Compliance Requirements for Virginia & D.C. Businesses
Organizations subject to the Virginia Consumer Data Protection Act must implement and maintain a comprehensive privacy compliance program, including:
- Clear and compliant privacy notices are essential for protecting sensitive data.
- Data protection assessments for high-risk processing activities
- Controller–processor vendor contracting provisions
- Documented consumer request response procedures
- Ongoing monitoring of VCDPA regulatory updates
Businesses operating across multiple jurisdictions should also assess how the VCDPA aligns with other state privacy laws to implement scalable VCDPA solutions.
Ongoing Legislative Updates to the VCDPA
2024 Updates — HB707 / SB361:
- Requires parental consent before collecting or processing a known child’s personal or geolocation data.
2025 Update — SB854 (Effective January 1, 2026):
- Requires social media platforms to use age-screening mechanisms.
- Limits minors under 16 to one hour per day unless a parent provides verifiable consent.
What Your Business Should Do
- Evaluate applicable privacy laws
- Conduct data mapping
- Update privacy policies and internal procedures
- Implement vendor risk management
- Prepare for consumer data requests
How Our Privacy Team Can Help
Our office advises businesses on:
- VCDPA compliance
- Breach notification requirements
- FTC privacy enforcement
- Vendor contracting
- Data privacy program design
- Incident response
Contact our office today for a consultation with our Privacy Team.
FAQs
Who Enforces The Virginia Consumer Data Protection Act?
What Types Of Personal Data Are Protected Under The VCDPA?
Who Is Considered A Data Controller Or Processor?
Does The VCDPA Regulate Selling Or Exchanging Personal Data?
How Does The VCDPA Compare To Other Privacy Laws?
The VCDPA aligns with global standards such as the General Data Protection Regulation (GDPR) and shares similarities with the California Consumer Privacy Act. However, enforcement, consent standards, and exemptions differ significantly by jurisdiction.
