Virginia Consumer Data Protection Act (VCDPA): The Ultimate Guide

LEGAL DISCLAIMER: This article provides general, informational content for educational purposes only. It is not a substitute for professional legal advice from a qualified attorney. Always consult with a lawyer for guidance on your specific legal situation.

Imagine every time you visited a website, used an app, or bought something online, the business gave you a detailed receipt. But instead of listing prices, this receipt listed every piece of personal information they collected about you: your name, your email, your browsing habits, even your location. Now, imagine that receipt came with a set of tools. With one button, you could ask the business to show you the full list. With another, you could fix a mistake on it. With a third, you could tell them to shred your receipt and forget they ever met you. And with a special “Do Not Sell” button, you could forbid them from ever sharing that receipt with anyone else for marketing. That, in a nutshell, is the power the Virginia Consumer Data Protection Act (VCDPA) gives to the residents of Virginia. It’s not a physical receipt, of course, but a powerful set of digital rights that puts you back in control of your personal information. For businesses, the VCDPA is a new rulebook that dictates how they must transparently and responsibly handle the data of their Virginia customers. It’s Virginia’s answer to the global call for greater data privacy, fundamentally changing the relationship between consumers and companies in the digital age.

• Key Takeaways At-a-Glance:
  • New Consumer Rights: The VCDPA grants Virginians the right to access, correct, delete, and obtain a copy of their personal data, as well as the right to opt out of the sale of their data, targeted advertising, and certain types of profiling. data_privacy.
  • Business Obligations: The VCDPA primarily applies to businesses that control or process data for at least 100,000 Virginians, or that control/process data for 25,000 Virginians and derive over 50% of their gross revenue from selling personal data. data_controller.
  • Enforcement by AG: There is no private_right_of_action, meaning individuals cannot sue companies directly for violations. Instead, the VCDPA is enforced exclusively by the virginia_attorney_general, who can issue injunctions and impose civil penalties of up to $7,500 per violation.

The journey to the VCDPA didn't begin in Richmond. It started across the Atlantic with the European Union's game-changing gdpr (General Data Protection Regulation) in 2018. The GDPR established a new global benchmark for data privacy, forcing companies worldwide to rethink how they handle personal information. This sent ripples across the United States, and in 2018, California responded by passing the ccpa (California Consumer Privacy Act), the first comprehensive state privacy law in the nation. Seeing the momentum, other states began to act. Virginia, aiming to position itself as a business-friendly yet privacy-conscious state, moved swiftly. On March 2, 2021, Virginia became the second state in the U.S. to enact its own comprehensive data privacy law, the VCDPA. Unlike the CCPA, which was born from a ballot initiative, the VCDPA was a product of the state legislature, designed with input from industry groups. This legislative origin shaped its character, making it in some ways more aligned with the GDPR's terminology (using terms like “controller” and “processor”) and more moderate in its enforcement mechanisms than its California counterpart. The law officially went into effect on January 1, 2023, marking a new chapter for data privacy in the Commonwealth and contributing to the growing “patchwork” of state-level privacy laws across America.

The VCDPA is formally codified in the Code of Virginia. The core of the law can be found in Title 59.1, Chapter 53 (§ 59.1-575 et seq.). A key passage, va_code_59_1_578, establishes the core consumer rights:

“A consumer has the right to (i) confirm whether or not a controller is processing the consumer's personal data and to access such personal data; (ii) correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data; (iii) delete personal data provided by or obtained about the consumer; (iv) obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format…; and (v) opt out of the processing of the personal data for purposes of (a) targeted advertising, (b) the sale of personal data, or © profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”

In plain English, this statute is the heart of the VCDPA. It gives Virginians five clear, legally enforceable rights over their data, shifting the balance of power from the company to the individual.

The VCDPA is part of a growing family of U.S. state privacy laws, each with its own unique flavor. Understanding these differences is crucial for businesses operating nationwide.

* What this means for you: If you are a Virginia resident, your rights are robust but you must rely on the Attorney General to enforce them. If you are a business owner, the VCDPA's thresholds and enforcement are more moderate than California's, but the compliance obligations are still significant.

To truly understand the VCDPA, you need to break it down into its essential parts: who it applies to, what data it protects, and the specific rights and responsibilities it creates.

The VCDPA is not a blanket law for every business. It applies to for-profit entities that conduct business in Virginia or produce products or services targeted to Virginia residents and, during a calendar year, either:

1. Control or process the personal data of at least 100,000 Virginia consumers.
2. Control or process the personal data of at least 25,000 Virginia consumers AND derive over 50 percent of their gross revenue from the “sale” of personal data.

There are also significant exemptions. The VCDPA does not apply to state bodies, non-profits, institutions of higher education, and entities covered by federal laws like hipaa (for health information) or the Gramm-Leach-Bliley Act (for financial information).

• Real-Life Example: A small bakery in Roanoke with a local customer list of 5,000 people is likely exempt. However, a mid-sized e-commerce company based in North Carolina that actively markets and sells to 120,000 customers in Virginia falls squarely under the VCDPA's jurisdiction.

• Personal Data: Any information that is linked or reasonably linkable to an identifiable person. This includes obvious things like a name or email address, but also less obvious identifiers like an IP address or geolocation data. It does not include de-identified data or publicly available information.
• Sensitive Data: A special category of personal data that requires explicit consumer consent (“opt-in”) to be processed. This includes data revealing racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, precise geolocation data, and biometric data.
• Controller: The entity that determines the “purposes and means” of processing personal data. This is typically the main business that the consumer interacts with.
• Processor: The entity that processes personal data on behalf of a controller. Think of a cloud storage provider or a third-party email marketing service. They are working under the controller's instructions.
• Sale of Personal Data: The exchange of personal data for monetary consideration. This definition is narrower than California's, which includes exchanges for “other valuable consideration.”

The VCDPA grants Virginia residents five main rights:

1. Right to Access: You can confirm if a business is processing your data and get a copy of it.
2. Right to Correct: You can request that a business fix any inaccuracies in your personal data.
3. Right to Delete: You can ask a business to erase the personal data it holds about you, with some exceptions (like data needed to complete a transaction or comply with a legal obligation).
4. Right to Data Portability: You can obtain a copy of your data in a usable format that allows you to easily transmit it to another service.
5. Right to Opt-Out: This is a powerful right. You can direct a business to stop processing your data for three specific purposes: (1) targeted advertising, (2) the sale of your personal data, and (3) profiling that produces legal or similarly significant effects (e.g., decisions about loans, housing, or employment).

• The Consumer: A resident of Virginia acting in an individual or household context. The VCDPA's rights are for them.
• The Controller (The Business): The main entity responsible for compliance. They must provide clear privacy notices, respond to consumer requests, and conduct data_protection_assessments for high-risk activities.
• The Processor (The Vendor): A third party working for the controller. Processors must follow the controller's instructions and assist them in meeting their VCDPA obligations. The relationship must be governed by a legally binding data_processing_agreement.
• The Virginia Attorney General: The sole enforcer of the VCDPA. The AG's office investigates potential violations, issues notices, and can bring legal action seeking financial penalties against non-compliant businesses.

This section is divided into two guides: one for consumers who want to exercise their rights, and one for businesses that need to comply with the law.

Think about the companies you interact with online: social media platforms, e-commerce sites, news websites, streaming services. Any of these that meet the VCDPA's applicability thresholds are required to honor your rights.

Scroll to the bottom of the company's website. Look for a link that says “Privacy Policy,” “Your Virginia Privacy Rights,” or something similar. This document is legally required to explain how the company collects and uses your data, and crucially, how you can submit a request to exercise your rights.

The privacy policy must provide you with one or more designated methods for submitting requests, such as a web form, a toll-free number, or an email address.

• Be Clear: State your name, that you are a Virginia resident, and which right you wish to exercise (e.g., “I am requesting a copy of all personal data you have collected about me,” or “I am requesting to opt out of the sale of my personal data”).
• Verification: The business must take reasonable steps to verify your identity to prevent fraud. They might ask you to confirm your email address or provide information they already have on file for you. They cannot ask for sensitive information like a Social Security number unless it's essential.

A business has 45 days to respond to your request. They can extend this period by another 45 days if reasonably necessary, but they must inform you of the extension within the initial 45-day window. If they deny your request, they must explain why and provide instructions on how you can appeal their decision.

If your request is denied and you believe the denial was improper, you can use the company's appeal process. If the appeal is also denied, or if the company never responds, you can file a complaint with the Virginia Attorney General's Office of Consumer Protection.

1. First, determine if you are subject to the VCDPA. Analyze your data processing activities against the thresholds (100k consumers, or 25k consumers + 50% revenue from data sales).
2. Conduct a data mapping exercise. You can't protect what you don't know you have. Identify all the personal data you collect, where it's stored, why you collect it, and who you share it with. Pay special attention to “sensitive data.”

1. Your privacy policy must be clear, transparent, and easily accessible. It must disclose:
   • The categories of personal data you process.
   • The purpose for processing that data.
   • How consumers can exercise their rights.
   • The categories of data you share with third parties.
   • The categories of third parties you share data with.

1. You must provide at least two methods for consumers to submit requests.
2. Train your staff to recognize, verify, and respond to these requests within the 45-day deadline.
3. Develop a clear process for handling appeals.

1. If you use processors (e.g., a cloud provider, an analytics service), you must have a data_processing_agreement (DPA) in place. This contract must outline the processor's duties and responsibilities regarding the data you entrust to them.

1. The VCDPA requires you to conduct and document a data_protection_assessment for any processing activities that present a heightened risk of harm to consumers. This includes:
   • Processing data for targeted advertising.
   • Selling personal data.
   • Processing sensitive data.
   • Certain types of profiling.

While the VCDPA itself is too new to have generated its own body of case law, its principles are built on decades of legal thought around privacy. Understanding these landmark cases provides context for why laws like the VCDPA exist.

• Backstory: Charles Katz was convicted of illegal gambling based on evidence gathered by the FBI from a listening device placed on the outside of a public phone booth he used.
• Legal Question: Does the fourth_amendment's protection against “unreasonable searches and seizures” require a physical intrusion into a person's property?
• The Holding: The Supreme Court ruled in favor of Katz, establishing the principle of a “reasonable expectation of privacy.” The Court famously stated that the Fourth Amendment “protects people, not places.”
• Impact on VCDPA: This case established the foundational idea that privacy is not just about physical trespass but about an individual's right to control their personal sphere. The VCDPA extends this concept from the government to corporations, giving people a reasonable expectation of control over their digital information.

• Backstory: Vermont passed a law that restricted the sale, disclosure, and use of pharmacy records that revealed the prescribing practices of individual doctors. Data mining companies, who used this data to help pharmaceutical companies target their marketing, sued.
• Legal Question: Does a state law that restricts the use of commercially valuable information violate the first_amendment's protection of free speech?
• The Holding: The Supreme Court struck down the Vermont law, ruling that data is a form of speech and that restricting its use based on the content or the speaker was unconstitutional.
• Impact on VCDPA: This case highlights the tension between privacy and free speech. The VCDPA's “opt-out” model, rather than a total ban, is a direct result of this legal reality. It doesn't prohibit the “speech” (data sharing), but it gives the individual the right to withdraw their consent, balancing commercial speech rights with personal privacy interests.

• Backstory: The California Attorney General brought the first-ever enforcement action under the CCPA against cosmetics retailer Sephora. The AG alleged Sephora failed to disclose to consumers that it was selling their personal information and failed to honor user requests to opt out of sales submitted via a global privacy control browser signal.
• The Outcome: Sephora settled for $1.2 million and agreed to a comprehensive compliance plan.
• Impact on VCDPA: Though a CCPA case, this was a wake-up call for businesses nationwide. It showed that attorneys general are serious about enforcing these new privacy laws. It specifically highlighted the importance of transparently disclosing data sharing with analytics and advertising partners as a “sale” and the need to have functional, easy-to-use opt-out mechanisms. Virginia's Attorney General will likely look to such precedents when beginning VCDPA enforcement.

• No Private Right of Action: The most significant debate around the VCDPA is its lack of a private_right_of_action. Consumer advocates argue that without the ability for individuals to sue companies directly, the law lacks teeth. They believe relying solely on a busy Attorney General's office for enforcement may lead to under-enforcement. Business groups, on the other hand, argue this approach prevents a flood of frivolous and expensive class-action lawsuits.
• The 30-Day “Right to Cure”: The VCDPA gives businesses a 30-day window to fix a violation after being notified by the AG before any penalties are assessed. Proponents say this encourages compliance and is fair to businesses making good-faith efforts. Critics argue it's a “get out of jail free” card that reduces the incentive for companies to be proactive about compliance from day one.
• The Push for a Federal Law: The growing “patchwork” of state laws (VA, CA, CO, UT, CT, and more) creates a complex compliance challenge for national businesses. This has intensified calls for a single, comprehensive federal privacy law to replace the state-by-state system. However, consensus in Congress on key issues—like whether a federal law should preempt state laws or the inclusion of a private right of action—remains elusive.

• Artificial Intelligence (AI): The rise of generative AI and machine learning models, which are trained on vast amounts of data, poses new challenges for privacy law. Questions are emerging about whether training AI models on personal data constitutes “processing” under the VCDPA, and how consumer rights like deletion (“the right to be forgotten”) can be implemented once data is incorporated into a complex AI model.
• Biometric and Health Data: As biometric scanners (fingerprints, facial recognition) and consumer health tech (fitness trackers, genetic testing kits) become more common, the VCDPA's protections for “sensitive data” will become increasingly critical. Expect future legislative amendments and enforcement actions to focus heavily on how this highly personal data is collected, used, and protected.
• The Evolving Definition of “Sale”: The VCDPA's narrow, money-focused definition of a “sale” of data is already a point of contrast with other states. As data-sharing business models evolve, there will be continued pressure to broaden this definition to include exchanges of data for non-monetary benefits, like enhanced services or analytics, to better reflect the reality of the modern data economy.

• biometric_data: Data generated from measurements of human characteristics, such as a fingerprint, voiceprint, or facial scan.
• consent: A clear affirmative act signifying a freely given, specific, informed, and unambiguous agreement to the processing of personal data.
• data_controller: The entity that determines the purpose and means of processing personal data.
• data_portability: The right of a consumer to obtain their data in a readily usable format to transmit to another controller.
• data_processing_agreement: A legally binding contract between a controller and a processor that details the terms of the data processing.
• data_protection_assessment: A systematic evaluation of a processing activity to identify and mitigate data protection risks.
• de-identified_data: Data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable person.
• gdpr: The General Data Protection Regulation, the European Union's landmark data privacy law.
• hipaa: The Health Insurance Portability and Accountability Act, a U.S. federal law protecting sensitive patient health information.
• personal_data: Any information that is linked or reasonably linkable to an identifiable natural person.
• private_right_of_action: The right of an individual to sue a company directly to enforce a law, which is absent in the VCDPA.
• processor: An entity that processes personal data on behalf of a controller.
• profiling: Any form of automated processing of personal data to evaluate, analyze, or predict aspects of a person's behavior or preferences.
• sensitive_data: A special category of personal data (e.g., health, race, geolocation) that requires a higher level of protection.
• targeted_advertising: Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications.

• ccpa
• gdpr
• data_privacy
• fourth_amendment
• ftc_act
• hipaa
• statute_of_limitations