In this article

Sign up for our newsletter

Share this article

A close-up comparison of Virginia's Consumer Data Protection Act (CDPA) vs. California Consumer Privacy Act vs. California Privacy Rights Act

What is the VCDPA?

Virginia's Consumer Data Protection Act (VCDPA), which passed on March 2, 2021, grants Virginia consumers rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected and with whom it's shared.

The VCDPA zoomed through the state's legislature with exceptional speed, just a few short weeks after its introduction. It joins California as only the second U.S. state to succeed in pushing privacy legislation through the legislature. 

The law contains some similarities to the EU General Data Protection Regulation's provisions and the California Consumer Privacy Act. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also do one of the following:

  • Control or process the personal data of 100,000 or more; 
  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information. 

It requires businesses to: 

  • Provide consumers with a clear privacy notice that includes a way for consumers to opt-out of targeted advertising.
  • Comply with consumer requests to see data collected on them within 45 days.
  • Obtain opt-in consent for sensitive data processing.
  • Disclose to consumers if their data will be sold. 
  • Allow consumers to opt out of having their data sold.
  • Allow consumers to delete their data. 

What consumer rights does the VCDPA grant?

The VCDPA grants Virginia residents the right to control what happens with data collected about them. Specifically, the law allows consumers:

  • The right to opt-out of behavioral advertising.
  • The right to delete their data.
  • The right to opt-out of the sale of their personal data. 
  • The right to data portability (the ability to transfer data from one platform to another). 

What is a service provider under VCDPA? 

Under the VCDPA, service providers are considered "processors." A processor would refer to any entity performing a task for the data "controller" —  the company collecting the data and deciding how to use it.

Under the VCDPA, controllers and processors have to contractually agree that the processor will delete or return all personal data at the controller's request, and processors can't use additional service providers unless they've contractually agreed to meet the VCDPA's requirements. 

What are the rules on targeted advertising? 

Some of the law's critics have said the bill should be more restrictive in its provisions on targeted advertising. Consumers have the right to opt out of their data being used for targeted advertising. The law defines targeted advertising as the use of Virginians' personal data to deliver advertisements based on data from third-party websites or apps in order to predict preferences or interests. 

But the law does not apply to:

  • Ads based on activities within a data controller's own website or app.
  • Ads based on a consumer's search query, website visit or online application.
  • Ads directed to a consumer based on their request for information. 
  • Personal data processed only to measure or report advertising performance/reach. 

When does the VCDPA go into effect? 

The VCDPA becomes effective January 1, 2023. It's likely lawmakers will amend the law before then, and a workgroup will review the law and suggest changes by November 2021. 

The Virginia Attorney General will enforce the law. While it does not contain a private right of action as a consumer redress tool, it does allow the attorney general to seek civil penalties of up to $7,500 per violation. 

Comparing VCDPA to CCPA and CPRA

Below is a chart comparing some of Virginia's law with both the California Consumer Privacy Act (CCPA), which became effective in 2018, and the law that will replace it on Jan. 1, 2023, the Consumer Privacy Rights Act (CPRA). 

California Attorney General’s Office 
California Privacy Protection Agency
Virginia Attorney General's Office
Consumers can opt-out of automated decision-making 
Consumers can opt-out of profiling that produces "legal or significant effects," including for housing, employment and educational eligibility, for example 
Sensitive data
Businesses must disclose how they collect, use and disclose 

Consumers may opt-out of the use of their sensitive data
Consumers must opt-in to the collection and use of their sensitive data for processing
Data minimization
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose
Businesses must only collect and retain what is adequate, relevant and reasonably necessary to the purpose, and that must be disclosed to consumers
Consumer remedies
Consumers may file a private right of action when lack of reasonable security leads to a breach
CCPA, plus consumers can file a private right of action if data breached includes consumer’s email address and password or security question
Companies must establish a process for consumers to submit complaints
No private right of action
Data Protection Impact Assessments
Required, specific rules to be determined by forthcoming rulemaking
Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm"
Businesses must fulfill validation consumer requests to delete their data 
Businesses fulfilling legitimate deletion requests must also notify third parties to delete such information
Businesses must delete personal data provided by or obtained via the consumer
Opt-out links
Businesses must have a “Do not sell my personal information” link
Businesses must have a “Do not share my personal information” link and a “Limit the use of my personal information” link 
Virginia requires users to be able to opt out of the sale of personal information, targeted advertising, and profiling. 
Up to $7,500 per violation or $2,500 per unintentional violation
Automatic $7,500 fine for violations of minors’ data (children under the age of 16)
Up to $7,500 per violation
Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now
Frame 481285
Share this article