VCDPA

Virginia Consumer Data Protection Act

Virginia Office of the Attorney General

Virginia consumer privacy law granting access, deletion, correction, and opt-out rights for targeted advertising, sale, and profiling, with controller/processor obligations modeled on the GDPR.

6Citations
0Audited
6Reference only
Jul 2026Last amended
Official source ↗Effective January 1, 2023
§ 59.1-575Reference

Definitions

Defines key terms for the Virginia Consumer Data Protection Act (VCDPA), including consumer, controller, processor, personal data, sensitive data, consent, and sale of personal data. Under VCDPA, a consumer must be a Virginia resident acting in an individual or household context.

ScopeSensitive PIOpt-Out
§ 59.1-576Reference

Scope; exemptions

Establishes applicability thresholds for businesses targeting Virginia residents, requiring compliance for entities processing data of 100,000+ consumers, or 25,000+ consumers if over 50% of gross revenue comes from selling personal data. Provides exemptions for government entities, HIPAA-covered entities, GLBA financial institutions, and nonprofits.

ScopeData Collection
§ 59.1-577Reference

Personal data rights

Grants Virginia consumers key rights, including confirming processing and accessing data, correcting inaccuracies, deleting personal data, obtaining a portable copy of data, and opting out of targeted advertising, sale of personal data, and profiling.

Consumer RightsOpt-Out
§ 59.1-578Reference

Controller duties

Requires data controllers to practice data minimization, implement reasonable data security, and obtain opt-in consent for sensitive data. Mandates a clear and accessible privacy notice disclosing categories of data collected, processing purposes, sharing with third parties, and instructions for exercising rights.

Privacy PolicyData Collection
§ 59.1-580Reference

Data protection assessments

Requires controllers to conduct and document data protection assessments for high-risk activities, including processing for targeted advertising, selling personal data, processing sensitive data, and profiling that poses a foreseeable risk of harm. Assessments must weigh processing benefits against consumer risks.

Data Protection AssessmentTargeted AdvertisingSensitive PI
§ 59.1-584Reference

Enforcement

Vests exclusive enforcement authority in the Virginia Attorney General and denies a private right of action for consumers. Requires a 30-day notice and cure period before initiating actions, and allows civil penalties of up to $7,500 per violation and recovery of reasonable investigative expenses.

Enforcement

Stop Guessing. Start Knowing.

Find out exactly where your website stands before a regulator does.

Get My Compliance Audit