Moore, Christoff & Siddiqui, PLLC

Virginia’s Consumer Data Protection Act

Home » Practice Areas » Corporate » Data & Privacy Law » Virginia’s Consumer Data Protection Act

Virginia Consumer Data Protection Act (VCDPA) — Compliance Guidance for Virginia & Washington, D.C. Businesses

The Virginia Consumer Data Protection Act (VCDPA) is Virginia’s comprehensive data privacy law. It took effect on January 1, 2023, and continues to expand through new bills and amendments. The VCDPA grants Virginia residents significant data protection rights and imposes meaningful obligations on businesses that collect, use, or share personal data.

For companies operating in Virginia or Washington, D.C., or for any business interacting with Virginia consumers, understanding and complying with the VCDPA is now essential. The VCDPA provides data protection rights for Virginia residents, while imposing affirmative duties on Virginia businesses related to the collection and use of consumer data.

Virginia Consumer Data Protection Act. Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising.

The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort.

Legislative Summary

Find more information in this Virginia Office of the Attorney General (OAG) informational recap.

Who Must Comply With the VCDPA?

The VCDPA applies to any person or business that conducts business in the Commonwealth of Virginia and either:

  1. Controls or processes the personal data of at least 100,000 consumers in a calendar year; or
  2. Derives 50% or more of gross revenue from the sale of personal data and processes or controls the personal data of at least 25,000 consumers.

The Act establishes clear responsibilities and privacy protection standards for data controllers and data processors. While the VCDPA does not apply to state or local government entities, it does include exemptions for certain categories of data governed by federal privacy laws such as HIPAA, GLBA, and FERPA.

Consumer Rights Under the VCDPA

Virginia residents are granted several enforceable rights concerning their personal data, including the right to:

  • Access personal data a business holds
  • Correct inaccuracies
  • Delete personal data
  • Obtain a portable copy of their data
  • Opt out of:
    • Targeted advertising
    • The sale of personal data
    • Automated profiling with legal or significant effects

Businesses must establish processes to respond to these requests within statutory timelines.

Enforcement Authority

The Virginia Office of the Attorney General (OAG) has exclusive enforcement authority. The law also establishes the Consumer Privacy Fund to support enforcement activities.

Noncompliance can lead to significant civil penalties and reputational damage—particularly when consumer trust in data protection is at stake. 

Compliance Requirements for Virginia & D.C. Businesses

Businesses subject to the VCDPA must implement:

  1. Clear Privacy Notices
  2. Data Protection Assessments
  3. Vendor and Processor Contracting
  4. Consumer request response procedures

Ongoing Legislative Updates to the VCDPA

2024 Updates — HB707 / SB361:

  • Requires parental consent before collecting or processing a known child’s personal or geolocation data.

2025 Update — SB854 (Effective January 1, 2026):

  • Requires social media platforms to use age-screening mechanisms.
  • Limits minors under 16 to one hour per day unless a parent provides verifiable consent.

What Your Business Should Do

  1. Evaluate applicable privacy laws
  2. Conduct data mapping
  3. Update privacy policies and internal procedures
  4. Implement vendor risk management
  5. Prepare for consumer data requests

How Our Privacy Team Can Help

Our office advises businesses on:

  • VCDPA compliance
  • Breach notification requirements
  • FTC privacy enforcement
  • Vendor contracting
  • Data privacy program design
  • Incident response 

Contact our office today for a consultation with our Privacy Team.

CIPPUS

All Practices

 

 

  • Family

    • Divorce
    • Custody
    • Child Support 
    • Prenuptial Agreements
    • Post-divorce enforcement and modification

 

NTL Top Forty Badge
Alexandria Chamber Member Badge
Colorful Star Logo APABA
Rotary Organization Brand Mark
Avvo S Moore Badge
Avvo Farheena Siddiqui Badge