Virginia's VCDPA has covered businesses that meet its consumer thresholds since January 1, 2023. It requires opt-out controls for targeted advertising and data sales, opt-in consent for sensitive data, and enforcement solely by the Virginia Attorney General.
Below: who has to comply, the six rights Virginia residents get, and what sensitive data means. Also covered: how the VCDPA's penalties, 30-day cure period, and no-private-lawsuit rule compare to the CCPA and GDPR.
What Is the Virginia Consumer Data Protection Act (VCDPA)?
The Virginia Consumer Data Protection Act (VCDPA), codified at Va. Code 59.1-575 et seq., is Virginia's comprehensive consumer data privacy law. It creates personal-data rights for Virginia consumers and compliance duties for the businesses, called controllers, that collect their data.
Virginia became the second US state to pass a comprehensive consumer privacy law, after California. The VCDPA became the template Colorado and Connecticut later copied. The law is inspired by the GDPR and uses the same "controller" and "processor" terminology. It keeps an opt-out consent model by default, though, rather than the GDPR's opt-in approach.
The VCDPA covers a broader wave of US state privacy laws that followed California's lead, each with its own thresholds and enforcement rules.
When Did the VCDPA Take Effect?
The VCDPA took effect January 1, 2023. Governor Ralph Northam signed it into law on March 2, 2021, giving businesses roughly 21 months to prepare.
The law's timeline:
- March 2, 2021: Governor Northam signs the VCDPA into law.
- January 1, 2023: The VCDPA becomes enforceable.
- January 1, 2026: A 2026 amendment adds a new social media provision limiting minors under 16 to one hour per day per platform, with age verification required.
The core rights, thresholds, and enforcement rules covered below have applied since January 1, 2023, and remain current law. Only the minors and social media provision is new for 2026.
Who Has to Comply with the VCDPA?
A business must comply with the VCDPA if it conducts business in Virginia or targets Virginia residents and meets one of two consumer-count thresholds.
A covered business must:
- Control or process the personal data of at least 100,000 Virginia consumers in a calendar year, or
- Control or process the personal data of at least 25,000 consumers and derive over 50% of its gross revenue from the sale of personal data
The VCDPA sets no revenue-only threshold. Unlike the CCPA's $25 million annual-revenue gate, a small business with modest revenue can still fall under the VCDPA if it hits either consumer-count test. The law also reaches businesses with no physical presence in Virginia, as long as they target Virginia residents.
Who Is Exempt from the VCDPA?
Five categories of entities are exempt from the VCDPA outright, regardless of size or revenue.
- Virginia state and local government bodies and agencies
- Financial institutions and data covered by the Gramm-Leach-Bliley Act
- HIPAA-covered entities and protected health information
- Nonprofit organizations
- Institutions of higher education
The VCDPA's nonprofit and higher-education carve-outs are broader than some newer state privacy laws, which limit or remove those exemptions entirely.
What Rights Does the VCDPA Give Virginia Consumers?
Virginia residents get six core rights under the VCDPA, and businesses must act on requests within 45 days.
| Right | What it lets a consumer do |
|---|---|
| Confirm and access | Find out whether a controller is processing their personal data and obtain a copy |
| Correct | Fix inaccuracies in their personal data |
| Delete | Request deletion of personal data provided by or obtained about them |
| Data portability | Get a portable, usable copy of the data they gave the controller |
| Opt out | Stop processing for targeted advertising, the sale of personal data, or profiling with legal or similarly significant effects |
| Appeal | Challenge a controller's refusal to act on a request |
The right to appeal is a VCDPA-distinctive feature many other state privacy laws fold quietly into general rights language instead of naming outright. Controllers must respond to a request within 45 days of receipt, with one possible 45-day extension if they notify the consumer why.
Appeals get a separate 60-day response window. If a controller denies an appeal, it must tell the consumer how to file a complaint with the Attorney General.
What Counts as Sensitive Data Under the VCDPA?
Sensitive data under the VCDPA covers categories of personal data that carry higher privacy risk, and processing it requires the consumer's affirmative, opt-in consent.
Sensitive data includes:
- Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- Genetic or biometric data used to uniquely identify a person
- Personal data collected from a known child
- Precise geolocation data, defined as location data accurate within a 1,750-foot radius
This is the VCDPA's sharpest departure from its own default rule. The law is opt-out for ordinary personal data, meaning businesses can collect it unless a consumer says no. It flips to opt-in for sensitive data, though: businesses need the consumer's consent before they process it at all. Controllers also cannot sell or offer to sell precise geolocation data, regardless of consent.
What Does the VCDPA Require Businesses to Do?
Covered businesses, called controllers under the VCDPA, carry a handful of core duties tied to how they collect, secure, and disclose personal data.
A controller must:
- Post a clear, accessible privacy notice describing what data it collects, why, and how consumers can exercise their rights
- Limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose
- Get opt-in consent before processing sensitive data
- Maintain reasonable administrative, technical, and physical data security practices
- Honor consumer requests, including appeals, within the statutory timelines
- Run data protection assessments for high-risk processing activities
- Include required contract terms when working with data processors
A clear notice and a working opt-out mechanism sit at the center of VCDPA compliance, much like the GDPR's cookie consent rules.
Data Protection Assessments
A data protection assessment is a documented risk review a controller must complete before running certain high-risk processing activities. The VCDPA requires one for targeted advertising, selling personal data, profiling that presents a foreseeable risk of harm, and any processing of sensitive data.
The assessment weighs the benefits of the processing, to the controller, the consumer, and the public, against the risks to consumer rights. The Attorney General can request a completed assessment during an investigation, though the assessment itself stays confidential and exempt from public records requests.
How Is the VCDPA Enforced? (Fines and the Attorney General)
The Virginia Attorney General holds exclusive enforcement authority over the VCDPA. Consumers cannot sue directly; there is no private right of action under this law.
Before suing, the Attorney General must give a business 30 days' written notice identifying the specific violation. If the business cures the violation within that window and confirms it in writing, no lawsuit follows.
Unlike some other state privacy laws, the VCDPA's 30-day cure period has no sunset clause. It stays available to every business the Attorney General notifies, not just those notified during an early grace period.
If a business doesn't cure the violation, the Attorney General can sue for an injunction and civil penalties of up to $7,500 for each violation. The Attorney General can also recover its investigation and legal expenses.
How Is the VCDPA Different from the CCPA and GDPR?
The VCDPA, the CCPA, and the GDPR all protect consumer data. They diverge on three things: consent model, enforcement, and what counts as a "sale."
| VCDPA | CCPA/CPRA | GDPR | |
|---|---|---|---|
| Consent model | Opt-out (opt-in only for sensitive data) | Opt-out | Opt-in by default |
| Terminology | Controller / processor | Business / service provider | Controller / processor |
| "Sale" definition | Exchange for monetary consideration only | Monetary or other valuable consideration | Not a defined trigger; opt-in consent required upfront |
| Enforcement | Attorney General only, no private right of action | Attorney General, CPPA, and a limited private right of action for breaches | Data protection authorities, high statutory fines |
The "sale" gap is the sharpest. The CCPA defines a sale broadly enough to cover non-monetary exchanges of value. The VCDPA's definition triggers only on an exchange for money. So some data-sharing arrangements that count as a sale under the CCPA do not count under the VCDPA.
The VCDPA is inspired by GDPR in its controller and processor terminology, but it keeps an opt-out default instead of GDPR's opt-in requirement. Colorado's near-identical law followed the VCDPA's template closely, including its consumer-count thresholds.
What the VCDPA Means for Your Website and Cookies
A VCDPA-covered site needs a working opt-out mechanism for targeted advertising and data sales, plus opt-in consent before any sensitive-data processing happens.
The practical checklist for a covered site:
- Post a clear, accessible privacy notice describing your data practices
- Give Virginia visitors a way to opt out of targeted-advertising cookies and personal data sales
- Get affirmative, opt-in consent before loading anything that processes sensitive data
- Provide a way for visitors to submit and, if needed, appeal data requests
- Keep records of each visitor's consent choices
The opt-out requirement for targeted-advertising cookies ties the VCDPA's legal text directly to your cookie banner. A banner that only handles GDPR-style opt-in consent won't cover this obligation on its own; Virginia visitors need the opt-out path too.
The same banner-and-records discipline carries over when you get your site GDPR compliant for visitors under that law.
How Consently Helps You Meet Virginia's Opt-Out and Consent Requirements
Consently shows Virginia visitors an opt-out consent banner and keeps a record of their choices, covering the consumer-facing side of VCDPA compliance.
Consently's CCPA and US state-law opt-out tools display an opt-out banner using the CCPA / US State Laws template. It includes a control for targeted advertising and data-sale opt-outs.
Automatic geotargeting shows the right banner model to the right visitor: Virginia and other US-state visitors see the opt-out template. Visitors covered by opt-in laws see the GDPR-style model instead.
Two features back the paperwork side. Consent logs record each visitor's choice with a timestamp and export to CSV. That gives you an audit trail if the Attorney General ever opens an investigation. The cookie, privacy, and terms policy generators produce the clear, accessible privacy notice the VCDPA requires, built from your actual cookie and data-collection setup.
Consently does not detect or honor browser-level opt-out signals like Global Privacy Control. Using it also does not make a site "VCDPA compliant" on its own. It supports the specific consent and disclosure tasks above; the policy generators are compliance assistance, not legal advice. Try Consently free to set up your opt-out banner in minutes.
FAQs
What is the VCDPA in simple terms?
The VCDPA is a Virginia law that gives residents rights over their personal data. It requires covered businesses to honor opt-outs and get consent before processing sensitive data.
When did the Virginia Consumer Data Protection Act take effect?
The VCDPA took effect January 1, 2023. It was signed into law March 2, 2021, and a separate amendment affecting minors on social media takes effect January 1, 2026.
Who has to comply with the VCDPA?
Businesses that control or process the personal data of 100,000 or more Virginia consumers annually must comply. So must businesses that process 25,000 or more consumers while deriving over 50% of gross revenue from selling personal data.
Does the VCDPA apply to small businesses?
Only if a small business meets one of the two consumer-count thresholds. Many small sites stay under 100,000 Virginia consumers and don't sell personal data, which keeps them out of scope. Still, each business should check both tests against its own traffic and data practices.
What are the penalties for violating the VCDPA?
Violations can bring civil penalties of up to $7,500 per violation, sought by the Virginia Attorney General after a 30-day cure period expires uncured.
Who enforces the VCDPA?
The Virginia Attorney General enforces the VCDPA exclusively. No other state agency or private party can bring a VCDPA claim.
Is there a private right of action under the VCDPA?
No. Virginia consumers cannot sue businesses directly under the VCDPA; only the Attorney General can enforce the law.
What is the cure period under the VCDPA?
The cure period is 30 days. The Attorney General must give written notice and let a business fix the violation within 30 days before suing. This cure period does not sunset.
How is the VCDPA different from the CCPA?
The VCDPA stays opt-out with controller and processor terminology and defines a "sale" as an exchange for monetary consideration only. It also sets no revenue-only threshold and gives consumers no private right of action, all points where the CCPA takes a different or broader approach.

