The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive data privacy law that protects people in Virginia and was enacted in 2021.
In this guide, I explain the requirements of the VCDPA and how it impacts businesses and consumers and provide you with resources to help simplify compliance.
- What Is Virginia’s Consumer Data Protection Act (VCDPA)?
- VCDPA Key Terms and Definitions
- When Did the Virginia Consumer Data Protection Act Take Effect?
- Who Does the VCDPA Protect?
- Who Must Comply With the VCDPA?
- Consumer Privacy Rights
- VCDPA Business Requirements
- Penalties for Violating the VCDPA
- Using Termly for VCDPA-Compliance
- Summary
What Is Virginia’s Consumer Data Protection Act (VCDPA)?
The Virginia Consumer Data Protection Act (VCDPA) is a U.S. state-level data privacy law that protects the personal information of residents of Virginia.
It outlines requirements entities must follow to legally collect, process, and use personal data, grants various rights to consumers, and describes penalties for violating the law.
Virginia was one of the first four states in the U.S. to pass a consumer privacy law and it’s similar in scope to the California Consumer Privacy Act (CCPA).
VCDPA Key Terms and Definitions
Below, I’ve compiled a list of key terms and definitions as they appear in the text of the VCDPA to help you better understand the scope of the law.
When Did the Virginia Consumer Data Protection Act Take Effect?
The VCDPA took effect on January 1, 2023.
An amendment to the VCDPA that strengthens protections for children’s privacy entered into effect on January 1, 2025.
Who Does the VCDPA Protect?
The VCDPA applies to any resident of Virginia acting in an individual or household context.
It does not apply to people in the state acting in commercial or employment contexts.
Who Must Comply With the VCDPA?
Your business must comply with the VCDPA if you conduct business in Virginia or target your products and services to residents of Virginia and meet either threshold:
- Controls or processes the personal data of 100,000 consumers during a calendar year, or
- Controls or processes the personal data of 25,000 consumers and earns 50% of gross revenue from the sale of personal data.
However, the following entities are exempt from the VCDPA:
- Banks or financial institutions
- State agencies
- Nonprofit organizations
- Colleges and universities
There are also exemptions for certain types of information, which include the following:
- Companies acting in commercial or employment contexts
- Information under the Health Insurance Portability and Accountability Act (HIPAA)
- Personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
- Information and data related to credit reports, as regulated by the federal Fair Credit Reporting Act (FCRA)
- Information and data related to vehicle driver information, as regulated by the federal Driver’s Privacy Protection Act of 1994
- Information and data subject to Title V of the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.), which regulates banks and financial institutions
Consumer Privacy Rights
The VCDPA grants consumers specific rights related to the collection and use of their personal data, including the following:
- Confirm if a controller is processing their data
- Access their personal data
- Correct inaccuracies in their data
- Request deletion by businesses
- Obtain a copy of personal data
- Opt-out of the processing of personal data for targeted advertising
- Opt-out of the sale of their personal data
- Opt-out of profiling
- Non-discrimination for exercising rights
- Submit a complaint about rights violations
VCDPA Business Requirements
Below, I summarized the primary business requirements outlined by Virginia’s privacy law.
Lawful Processing of Data
Under the VCDPA, businesses must limit their collection of personal data to that which is adequate, relevant, and reasonably necessary in relation to the purpose for the processing as disclosed to the consumer.
Covered entities also cannot process sensitive data from consumers without first obtaining their explicit opt-in consent.
Privacy Policy Guidelines
The VCDPA requires businesses to present users with a clear, reasonably accessible, and meaningful privacy notice that includes the following information:
- The purpose for processing personal data
- Categories of data processed
- Categories of data shared with third parties
- Categories of data sold to third parties
- Discloses categories of third parties themselves
- Explains how consumer requests can be submitted
- Provides a mechanism for appeal of decisions related to consumer requests
- Clearly discloses the processing of personal data for targeted advertising
- Provides the right to opt-out of processing data
Consent Management
The VCDPA requires businesses to obtain explicit and affirmative consent from consumers for certain types of data processing, including the collection of sensitive data.
Consent under the VCDPA must be affirmative, informed, and unambiguous.
But you also must provide ways for consumers to opt-out of targeted ads, the sale of their information, and profiling.
Businesses under this law need to implement consent management solutions so Virginia residents can easily follow through on these rights.
Contractual Obligations
Any data controllers that rely on a third party as their data processor must make and have both parties sign a contract that outlines the following stipulations:
- Ensure all person processing data is subject to a duty of confidentiality,
- Delete or return all data at the end of the contract at the controller’s direction,
- Make all information in the processor’s possession available to the controller upon their reasonable request to demonstrate compliance with the law,
- Cooperate and allow for reasonable assessments by the controller or third-party assessor,
- Engage any subcontractors to a written contract following these same guidelines.
Responding to Consumer Requests
Businesses under the VCDPA must respond to consumer requests to follow through on their rights within a 45-day timeline.
That timeline can be extended an additional 45 days as necessary depending on the complexity and number of requests the business receives.
Under the VCPDA, businesses must provide responses to consumer requests free of charge up to twice per year.
Businesses are responsible for verifying the identity of the consumer who submitted a request before sending a response. If necessary, you are permitted to request further information from the person as necessary to confirm their identity.
Appeals Process
The VCDPA requires businesses to implement a process for consumers to submit appeals based on your decision to refuse to respond to a request to follow through on privacy rights.
The process must be as easy for the consumer as originally submitting a request, and you must respond to it within 60 days of receipt.
Data Protection Assessments
Businesses under the VCDPA must conduct data protection assessments for the following data processing activities:
- Processing personal data for targeted advertising
- Selling personal data
- Processing personal data for the purposes of profiling
- Processing sensitive personal data
- Any processing activities that present a heightened risk of harm to consumers
After January 1, 2025, any controller offering online services, products, or features directed to known children must also conduct these assessments.
The assessment must identify and weigh the direct and indirect benefits of the processing to the controller, consumer, and other stakeholders against the risks to the rights of consumers.
The attorney general can request controllers disclose their data protection assessments when they’re relevant to investigations regarding compliance with the law.
If your business falls under multiple laws with a data protection assessment requirement, the VCDPA allows you to use a single assessment so long as it addresses comparable sets of processing operations and includes similar activities.
Data Security Guidelines
The VCDPA requires businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security measures to keep all data safe.
The security measures must protect the confidentiality, integrity, and accessibility of the data.
The security measures must be appropriate to the volume and nature of the information.
Common methods include data encryption, multi-factor authentication, and limiting who has access to the collected personal data.
Penalties for Violating the VCDPA
Penalties for violating the VCDPA include fines of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation.
The Attorney General has the authority to enforce the VCDPA.
Consumers do not have a private right of action under this law.
Using Termly for VCDPA-Compliance
Businesses can use Termly to help simplify compliance with several aspects of the VCDPA, including the privacy notification guidelines, consent management, and helping users easily follow through on their privacy rights.
Termly’s Privacy Policy Generator includes all necessary clauses as required by the text of the VCDPA. It asks basic questions about your business and its processing activities and then makes a unique, comprehensive policy for you based on your answers.
Backed by our legal team and data privacy experts, it includes helpful tips to make answering the questions even easier.
Additionally, businesses can use Termly’s Consent Management Platform (CMP) to meet the consent requirements outlined by the VCDPA. It includes a customizable consent banner and a cookie policy that updates whenever you perform a website scan.
It also comes with a free data subject access request form, so your users can easily submit requests to follow through on their various privacy rights under Virginia’s law.
Summary
The VCDPA is a comprehensive data privacy law that impacts businesses and consumers in several ways.
If your business is subject to this law, make sure you update your privacy policy and implement a consent management platform to meet the notification and transparency requirements outlined by the law.
Add one or more straightforward ways for Virginia residents to easily follow through on their privacy rights to your website.
Make compliance extra easy and use Termly’s suite of solutions to easily meet the guidelines of laws like the VCDPA and more.
More about the author
Written by Anokhy Desai CIPP/US, CIPT, CIPM
Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author
