Virginia Consumer Data Protection Act: A Plain-English Guide for Growing Businesses
VCDPA explained for small businesses: thresholds, consumer rights, penalties, and a step-by-step compliance checklist for Virginia's privacy law.
Last updated: 2026-02-08
If your business touches data from Virginia residents, you are now operating under one of the most influential privacy laws in the country. The Virginia Consumer Data Protection Act (VCDPA) was the second comprehensive state privacy law in the United States after California's CCPA, and it became the blueprint that a dozen other states used when drafting their own legislation. That matters to you because understanding the VCDPA is not just about Virginia -- it is about understanding the direction American privacy law is heading. Whether you are a SaaS company with a handful of Virginia customers or an e-commerce shop shipping into the state, this guide breaks down exactly what the VCDPA requires, who it covers, and what you need to do about it.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Virginia Consumer Data Protection Act (Va. Code Ann. sections 59.1-575 through 59.1-585), as of the date of publication.
Does the VCDPA Apply to Your Business?
The VCDPA applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents, and meet at least one of two thresholds (Va. Code Ann. section 59.1-576):
- Control or process personal data of at least 100,000 Virginia consumers during a calendar year. Note that this excludes data processed solely for completing a payment transaction.
- Control or process personal data of at least 25,000 Virginia consumers and derive more than 50% of gross revenue from the sale of personal data.
These thresholds are notably lower in practice than they might sound. If you operate a website with meaningful Virginia traffic, 100,000 consumers is not an enormous number. Think about it this way: if your site gets around 300,000 unique visitors per year and roughly a third of them are from Virginia, you could be in scope.
The second threshold targets businesses whose primary business model involves data. If you are a data broker, an ad-tech company, or any business where selling personal data is a significant revenue stream, and you touch at least 25,000 Virginia consumers, you are covered.
Unlike California's CCPA, the VCDPA does not include a revenue threshold. A business with $500 million in annual revenue that processes data from only 5,000 Virginia consumers is not covered. Conversely, a small startup processing data from 100,000 Virginia consumers is covered regardless of revenue. The law is entirely data-volume-driven.
The VCDPA also applies to "controllers" (businesses that determine the purpose and means of processing) and "processors" (businesses that process data on behalf of a controller). If you are a processor, you must follow the instructions of your controller and help them comply with the law under a written contract.
Exemptions exist for state and local government entities, nonprofits, higher education institutions, financial institutions covered by the Gramm-Leach-Bliley Act (GLBA), and entities covered by HIPAA. Data types already regulated by certain federal laws (such as FCRA-covered data) are also exempt.
What Rights Do Consumers Have?
The VCDPA grants Virginia residents seven specific rights over their personal data. These rights form the core of what you must be prepared to handle.
Consumers have the right to access the personal data a business has collected about them. They can ask you what categories of data you hold, what specific data points you have, and you must provide it. They have the right to correct inaccuracies in their personal data, which means you need a process for receiving and acting on correction requests. They can request deletion of their personal data, and you must comply unless an exemption applies. The right to data portability means consumers can request their data in a portable, readily usable format so they can transmit it to another controller. Consumers can opt out of the sale of personal data, opt out of targeted advertising, and opt out of profiling that produces legal or similarly significant effects.
| Right | Granted? | Notes |
|---|---|---|
| Access | Yes | Consumer can request all personal data you hold |
| Correction | Yes | Consumer can fix inaccurate data |
| Deletion | Yes | Consumer can request erasure of their data |
| Portability | Yes | Data must be provided in a portable format |
| Opt-out of sale | Yes | Consumer can stop the sale of their data |
| Opt-out of targeted advertising | Yes | Consumer can opt out of targeted ads |
| Opt-out of profiling | Yes | Limited to profiling with legal or significant effects |
| Private right of action | No | Only the Attorney General can enforce |
When a consumer submits a request, you have 45 days to respond. You can extend this by an additional 45 days if reasonably necessary, but you must inform the consumer of the extension and the reason for it within the initial 45-day window. If you decline a request, you must explain why and inform the consumer of their right to appeal. If the appeal is also denied, you must provide information on how to file a complaint with the Virginia Attorney General.
What Your Business Must Do
Compliance with the VCDPA is not just about responding to consumer requests. The law imposes several proactive obligations on businesses.
Privacy notice: You must provide a clear, accessible privacy notice that discloses the categories of personal data you process, the purposes of processing, how consumers can exercise their rights, the categories of data you share with third parties, and the categories of third parties you share data with. If you sell personal data or use it for targeted advertising, you must clearly disclose that fact.
Data minimization: You may only collect personal data that is adequate, relevant, and reasonably necessary for the purposes you have disclosed. You cannot collect data speculatively or stockpile it for undefined future use. This is a meaningful shift from the "collect everything" approach many businesses have taken.
Purpose limitation: You cannot process personal data for purposes that are not reasonably necessary to or compatible with the purposes you disclosed, unless you get the consumer's consent.
Security: You must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect personal data. The law does not prescribe specific security measures, but the standard is "reasonable" given the volume and nature of the data.
Consent for sensitive data: Processing sensitive data requires the consumer's consent. Sensitive data under the VCDPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification, personal data from a known child, and precise geolocation data.
Data protection assessments: You must conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers. This includes targeted advertising, the sale of personal data, processing sensitive data, and profiling.
Processor contracts: If you use processors (vendors that handle data on your behalf), you must have written contracts that define the data being processed, the purpose, the duration, and the rights and obligations of both parties. The processor must assist you in meeting your VCDPA obligations.
How Is the VCDPA Enforced?
The VCDPA is enforced exclusively by the Virginia Attorney General (Va. Code Ann. section 59.1-584). There is no private right of action, which means individual consumers cannot sue you directly for VCDPA violations. This is a significant difference from California's CCPA, where consumers can bring private lawsuits for certain data breaches.
Before the Attorney General can bring an action, they must provide the business with a 30-day cure period -- a written notice identifying the specific violation and giving you 30 days to fix it. If you cure the violation within that window and provide a written statement that the violation has been cured and that no further violations will occur, the Attorney General cannot pursue the action.
If you fail to cure, or if you breach your written cure statement, the Attorney General can seek an injunction and civil penalties of up to $7,500 per violation. Those penalties can add up quickly if the violation affects many consumers. A single systemic failure affecting 10,000 consumers could theoretically result in $75 million in penalties.
As of early 2026, the Virginia Attorney General has not publicly announced major enforcement actions under the VCDPA. However, the office has signaled that enforcement is a priority, and the 30-day cure period gives businesses a meaningful opportunity to correct issues before facing penalties.
How the VCDPA Compares to Other State Laws
Virginia's law became the model for many subsequent state privacy laws. Colorado, Connecticut, and several other states used the VCDPA's framework as their starting point. Understanding how these laws compare helps you plan a multi-state compliance strategy.
| Feature | Virginia (VCDPA) | California (CCPA/CPRA) | Colorado (CPA) |
|---|---|---|---|
| Effective date | January 1, 2023 | January 1, 2020 (CPRA: Jan 2023) | July 1, 2023 |
| Threshold | 100K consumers or 25K + 50% revenue from data sales | $25M revenue, 100K consumers, or 50% revenue from data sales | 100K consumers or 25K + revenue from data sales |
| Right to access | Yes | Yes | Yes |
| Right to delete | Yes | Yes | Yes |
| Right to correct | Yes | Yes (CPRA) | Yes |
| Right to opt out of sale | Yes | Yes | Yes |
| Universal opt-out mechanism | No (not required) | Yes (required by CPRA) | Yes (required) |
| Cure period | 30 days | None (CPRA removed it) | 60 days (sunsets Jan 2025) |
| Private right of action | No | Yes (for data breaches) | No |
| Max penalty per violation | $7,500 | $7,500 | $20,000 |
| Enforced by | Attorney General | AG + CPPA | Attorney General |
The key takeaway: if you are already CCPA-compliant, you are well-positioned for VCDPA compliance. The main adjustments involve adapting to the different threshold structure and ensuring your data protection assessments are documented. If you are VCDPA-compliant, extending to Colorado and Connecticut requires relatively minor adjustments.
Action Checklist for Small Businesses
Here is a practical, numbered list of what you should do to get compliant with the VCDPA:
-
Determine if the law applies to you. Count how many Virginia consumers' data you process annually. Check both the 100,000-consumer threshold and the 25,000-consumer-plus-revenue threshold.
-
Conduct a data inventory. Map out what personal data you collect from Virginia consumers, where it is stored, why you collect it, and who you share it with.
-
Update your privacy notice. Make sure it includes all VCDPA-required disclosures: categories of data processed, purposes, consumer rights, third-party sharing, and whether you sell data or use it for targeted advertising.
-
Build a consumer request process. Set up intake, verification, processing, and response workflows that can handle all seven consumer rights within the 45-day deadline.
-
Implement consent mechanisms for sensitive data. If you process any sensitive data categories, make sure you are obtaining opt-in consent before processing.
-
Conduct data protection assessments. Document assessments for targeted advertising, data sales, sensitive data processing, and profiling activities.
-
Review vendor contracts. Ensure all processor agreements include VCDPA-required terms covering data processing scope, purpose, duration, and obligations.
-
Train your team. Make sure everyone who handles consumer data or requests knows the basics of the VCDPA and your internal process.
-
Establish an appeal process. If you deny a consumer request, you need a documented appeal process and a path for the consumer to escalate to the Attorney General.
-
Document everything. Keep records of your compliance efforts, consumer requests, response timelines, and data protection assessments.
Key Dates
- March 2, 2021: VCDPA signed into law by Governor Ralph Northam.
- January 1, 2023: VCDPA took effect.
- Ongoing: 30-day cure period remains in effect (unlike some states where cure periods have sunset provisions).
References
- Virginia Consumer Data Protection Act (VCDPA): Va. Code Ann. sections 59.1-575 through 59.1-585. Full text on Virginia Legislative Information System
- Virginia Attorney General's Office: Consumer Protection resources
- CCPA (California): Cal. Civ. Code sections 1798.100 through 1798.199.100. Full text
- Colorado Privacy Act (CPA): C.R.S. sections 6-1-1301 through 6-1-1313. Full text
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Ready to handle Virginia consumer data requests with confidence? Our DSAR Compliance Guide walks you through building a repeatable process for intake, verification, and response -- covering the VCDPA and every other major state privacy law. Or grab our DSAR Response Templates to get started today.