Skip to content

Virginia Consumer Data Protection Act

A guide to Virginia's Consumer Data Protection Act (VCDPA) and its compliance requirements.

Apidly TeamFebruary 19, 2026
virginiavcdpaprivacy

Overview

The Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023, was the second comprehensive state privacy law enacted in the United States after California's CCPA. The VCDPA establishes a framework for how businesses must handle the personal data of Virginia residents, drawing from elements of both GDPR and other US state privacy proposals.

The VCDPA takes a balanced approach that provides meaningful consumer rights while maintaining clear and predictable obligations for businesses. It has served as a model for many subsequent state privacy laws, including those in Colorado, Connecticut, and others.

Who Does It Apply To?

The VCDPA applies to persons that conduct business in Virginia or produce products or services targeted to Virginia residents and that:

  • Control or process the personal data of at least 100,000 Virginia residents during a calendar year, or
  • Control or process the personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data

The VCDPA does not apply to:

  • State and local government entities
  • Nonprofit organizations
  • Institutions of higher education
  • Financial institutions subject to the Gramm-Leach-Bliley Act
  • Covered entities and business associates under HIPAA
  • Data processed in an employment context

Key Requirements

Data Minimization

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose of processing. Data must not be processed for purposes that are incompatible with the disclosed purpose without additional consent.

Privacy Notice

Controllers must provide consumers with a clear and accessible privacy notice that includes:

  • The categories of personal data processed
  • The purpose of processing
  • How consumers can exercise their rights
  • The categories of personal data shared with third parties
  • The categories of third parties with whom data is shared

Consent for Sensitive Data

Processing sensitive data requires the consumer's opt-in consent. Sensitive data includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
  • Genetic or biometric data processed to uniquely identify an individual
  • Personal data collected from a known child
  • Precise geolocation data

Data Protection Assessments

Controllers must conduct data protection assessments for processing activities that present a heightened risk of harm to consumers:

  • Processing personal data for targeted advertising
  • Sale of personal data
  • Processing sensitive data
  • Processing for profiling where there is a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, or intrusion upon solitude

Processor Contracts

Controllers must establish contracts with processors that include clear instructions for processing, the nature and purpose of processing, data subject obligations, and requirements for data security and breach notification.

Individual Rights

Virginia residents have the following rights under the VCDPA:

  • Right to know: Confirm whether a controller is processing their personal data and access that data
  • Right to correct: Request correction of inaccuracies in personal data
  • Right to delete: Request deletion of personal data provided by or obtained about the consumer
  • Right to data portability: Obtain a copy of personal data in a portable and readily usable format that allows transfer to another controller
  • Right to opt out: Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects
  • Right to appeal: If a controller declines to take action on a consumer request, the consumer has the right to appeal and receive a written explanation of the reasons

Response Timelines

Controllers must respond to consumer rights requests within 45 days, with one 45-day extension available when reasonably necessary. The response must be provided free of charge, up to twice per consumer per year.

Enforcement and Penalties

The Virginia Attorney General has exclusive enforcement authority for the VCDPA:

  • Cure period: The original law included a 30-day cure period, which expired on January 1, 2025. The Attorney General may now pursue enforcement without providing an opportunity to cure.
  • Civil penalties: Violations can result in civil penalties of up to $7,500 per violation
  • Injunctive relief: The Attorney General can seek court orders to stop ongoing violations
  • Investigative powers: The Attorney General can issue civil investigative demands to gather information about potential violations
  • No private right of action: Individual consumers cannot bring lawsuits directly under the VCDPA

How Apidly Helps

Apidly provides comprehensive VCDPA compliance support:

  • Consumer rights management automates the intake, verification, and fulfillment of access, correction, deletion, portability, and opt-out requests within the 45-day response window
  • Appeals process handling manages the required appeals workflow when consumer requests are denied, ensuring written explanations are provided and documented
  • Data protection assessment templates guide you through the required assessments for targeted advertising, data sales, sensitive data processing, and profiling activities
  • Processor agreement management provides template contracts and tracking for processor relationships that meet VCDPA's contractual requirements
  • Sensitive data consent tracking identifies where sensitive data is processed and ensures opt-in consent is obtained and documented before processing begins