In this article

Sign up for our newsletter

Share this article

Take a close-up look into the Virginia's Consumer Data Protection Act (VCDPA).

What Is the VCDPA? 

Virginia's Consumer Data Protection Act (VCDPA), which went into effect January 1, 2023, grants Virginia consumers rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected and with whom it's shared. 

The law aims to establish a framework that protects the rights and interests of Virginia residents and lays out comprehensive guidelines for businesses that process personal information of Virginia residents. It imposes various obligations on these entities to safeguard consumer privacy and ensure responsible data handling practices. By setting clear standards and requirements, the VCDPA seeks to create a more transparent and accountable environment for businesses and consumers alike. 

Who Is Subject to the VCDPA? 

It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also do one of the following: 

  • Control or process the personal data of 100,000 or more;  
  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information.  

VCDPA Requirements 

Businesses that meet the above criteria must: 

  • Provide consumers with a clear privacy notice that includes a way for consumers to opt-out of targeted advertising. 
  • Comply with certain consumer requests (such as providing access to their personal data) within 45 days. 
  • Obtain opt-in consent for sensitive data processing. 
  • Disclose to consumers if their data will be sold. Notably, the VCDPA’s definition of a “sale” only covers monetary transactions, while other laws also include transactions involving other valuable considerations. 
  • Allow consumers to opt out of having their data sold. 
  • Allow consumers to delete their data.  

You’ll notice that consumers must opt in first before businesses can collect their sensitive data. Under the VCDPA, sensitive data includes personal data that reveals religious beliefs, racial or ethnic origin, mental or physical health, citizenship or immigration status, or sexual orientation. Additionally, processing genetic or biometric data specifically to uniquely identify an individual is considered sensitive data, as well as the personal data from a known child or specific geolocation data. 

What Consumer Rights Does the VCDPA Grant? 

The VCDPA grants Virginia residents the right to control what happens with data collected about them. Specifically, the law allows consumers: 

  • The right to opt-out of behavioral advertising. 
  • The right to delete their data. 
  • The right to opt-out of the sale of their personal data.  
  • The right to data portability (the ability to transfer data from one platform to another).  

When a controller receives a subject rights request, they must respond within 45 days but can request a 45-day extension if the request is of a particularly high volume or complexity.  

Controllers can also decline requests, but they must include a valid justification for declining the request—for example, if the request was vexatious in nature. 

What Is a Service Provider Under VCDPA?  

Under the VCDPA, service providers are considered "processors." A processor would refer to any entity performing a task for the data "controller"—the company collecting the data and deciding how to use it. 

Under the VCDPA, controllers and processors have to contractually agree that the processor will delete or return all personal data at the controller's request, and processors can't use additional service providers unless they've contractually agreed to meet the VCDPA's requirements.  

What Are the Rules on Targeted Advertising?  

Some of the law's critics have said the bill should be more restrictive in its provisions on targeted advertising. Consumers have the right to opt out of their data being used for targeted advertising. The law defines targeted advertising as the use of Virginians' personal data to deliver advertisements based on data from third-party websites or apps in order to predict preferences or interests.  

But the law does not apply to: 

  • Ads based on activities within a data controller's own website or app. 
  • Ads based on a consumer's search query, website visit or online application. 
  • Ads directed to a consumer based on their request for information.  
  • Personal data processed only to measure or report advertising performance/reach.  

VCDPA Penalties 

The Virginia Attorney General will enforce the law. While it does not contain a private right of action as a consumer redress tool, it does allow the attorney general to seek civil penalties of up to $7,500 per violation. 

Comparing VCDPA to CCPA and CPRA

Below is a chart comparing some of Virginia's law with both the California Consumer Privacy Act (CCPA), which became effective in 2018, and the law that will replace it on Jan. 1, 2023, the Consumer Privacy Rights Act (CPRA). 

California Attorney General’s Office 
California Privacy Protection Agency
Virginia Attorney General's Office
Consumers can opt-out of automated decision-making 
Consumers can opt-out of profiling that produces "legal or significant effects," including for housing, employment and educational eligibility, for example 
Sensitive data
Businesses must disclose how they collect, use and disclose 

Consumers may opt-out of the use of their sensitive data
Consumers must opt-in to the collection and use of their sensitive data for processing
Data minimization
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose
Businesses must only collect and retain what is adequate, relevant and reasonably necessary to the purpose, and that must be disclosed to consumers
Consumer remedies
Consumers may file a private right of action when lack of reasonable security leads to a breach
CCPA, plus consumers can file a private right of action if data breached includes consumer’s email address and password or security question
Companies must establish a process for consumers to submit complaints
No private right of action
Data Protection Impact Assessments
Required, specific rules to be determined by forthcoming rulemaking
Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm"
Businesses must fulfill validation consumer requests to delete their data 
Businesses fulfilling legitimate deletion requests must also notify third parties to delete such information
Businesses must delete personal data provided by or obtained via the consumer
Opt-out links
Businesses must have a “Do not sell my personal information” link
Businesses must have a “Do not share my personal information” link and a “Limit the use of my personal information” link 
Virginia requires users to be able to opt out of the sale of personal information, targeted advertising, and profiling. 
Up to $7,500 per violation or $2,500 per unintentional violation
Automatic $7,500 fine for violations of minors’ data (children under the age of 16)
Up to $7,500 per violation
Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now
Frame 481285
Share this article