§ 59.1-576StatuteReference only

Scope; exemptions

Effective January 1, 2023Reviewed July 2026

Reference only: This requirement is not currently tested by the Privisy scanner. It is included for reference. Consult a qualified attorney to assess your compliance posture.

What it requires

Establishes applicability thresholds for businesses targeting Virginia residents, requiring compliance for entities processing data of 100,000+ consumers, or 25,000+ consumers if over 50% of gross revenue comes from selling personal data. Provides exemptions for government entities, HIPAA-covered entities, GLBA financial institutions, and nonprofits.

Legal text (excerpt)

This chapter shall apply to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process the personal data of at least 100,000 consumers or (ii) control or process the personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Virginia Consumer Data Protection Act: § 59.1-576, Statute, effective 2023

Primary source

Virginia Office of the Attorney General: § 59.1-576: Scope; exemptions

Legal notice: This page is for informational purposes only and does not constitute legal advice. The legal text excerpt is reproduced from official public sources and is current as of the stated effective date. Laws change: verify against the authoritative source and consult a licensed attorney for compliance guidance.

Stop Guessing. Start Knowing.

Find out exactly where your website stands before a regulator does.

Get My Compliance Audit