§ 59.1-580StatuteReference only

Data protection assessments

Effective January 1, 2023Reviewed July 2026

Reference only: This requirement is not currently tested by the Privisy scanner. It is included for reference. Consult a qualified attorney to assess your compliance posture.

What it requires

Requires controllers to conduct and document data protection assessments for high-risk activities, including processing for targeted advertising, selling personal data, processing sensitive data, and profiling that poses a foreseeable risk of harm. Assessments must weigh processing benefits against consumer risks.

Legal text (excerpt)

A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data: 1. The processing of personal data for purposes of targeted advertising; 2. The sale of personal data; 3. The processing of personal data for purposes of profiling...

Virginia Consumer Data Protection Act: § 59.1-580, Statute, effective 2023

Primary source

Virginia Office of the Attorney General: § 59.1-580: Data protection assessments

Legal notice: This page is for informational purposes only and does not constitute legal advice. The legal text excerpt is reproduced from official public sources and is current as of the stated effective date. Laws change: verify against the authoritative source and consult a licensed attorney for compliance guidance.

Stop Guessing. Start Knowing.

Find out exactly where your website stands before a regulator does.

Get My Compliance Audit