Virginia Data Privacy Laws: VCDPA Consumer Rights Guide (2026)

Virginia has established itself as a national leader in data privacy protection. The Virginia Consumer Data Protection Act (VCDPA), codified at Va. Code 59.1-575 through 59.1-585, took effect on January 1, 2023. It was only the second comprehensive consumer data privacy law enacted in the United States, following California.

Since its passage, the Virginia General Assembly has continued to strengthen the law with amendments addressing children's data, social media restrictions for minors, and reproductive health information protections. This guide covers everything you need to know about Virginia's data privacy framework as of 2026.

What Is the Virginia Consumer Data Protection Act (VCDPA)?

The VCDPA is Virginia's comprehensive consumer data privacy law. Governor Ralph Northam signed it into law on March 2, 2021, and it became effective on January 1, 2023. The law is codified at Va. Code Title 59.1, Chapter 53.

The VCDPA gives Virginia consumers specific rights over their personal data. It also imposes obligations on businesses that collect and process consumer data. The Virginia Attorney General's office has published a summary explaining the law's key provisions for consumers.

Unlike California's privacy law, the VCDPA does not create a private right of action. Only the Virginia Attorney General can enforce the law. This distinction is important for both consumers and businesses operating in Virginia.

Key Definitions Under the VCDPA

The VCDPA defines several important terms that determine how the law applies. Under Va. Code 59.1-575, the key definitions include:

Personal data means any information that is linked or reasonably linkable to an identified or identifiable natural person. This does not include de-identified data or publicly available information.

Sensitive data receives extra protection under the law. It includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data used for identification purposes, personal data from a known child, and precise geolocation data.

Consumer means a natural person who is a Virginia resident acting in an individual or household context. The definition excludes people acting in a commercial or employment context.

Controller means the natural or legal person that determines the purposes and means of processing personal data. A processor means an entity that processes personal data on behalf of a controller.

Biometric data means data generated by automatic measurements of biological characteristics, such as fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns used to identify a specific individual. Digital photographs, video or audio recordings, and HIPAA-covered health care data are excluded from this definition.

Precise geolocation data means information that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet.

Who Must Comply with the VCDPA?

The VCDPA applies to entities that conduct business in Virginia or produce products or services targeted to Virginia residents and meet one of two thresholds under Va. Code 59.1-576:

1. Control or process the personal data of at least 100,000 Virginia consumers during a calendar year, OR
2. Control or process the personal data of at least 25,000 Virginia consumers AND derive over 50% of gross revenue from the sale of personal data.

Who Is Exempt from the VCDPA?

The VCDPA includes several important exemptions. The following entities are not subject to the law:

• Virginia state agencies and political subdivisions
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
• Nonprofit organizations
• Institutions of higher education
• Political organizations (added by SB 534 and HB 714 amendments)

Additionally, certain categories of data are exempt even when held by covered entities. These include data regulated under the Fair Credit Reporting Act (FCRA), the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act (FERPA), and data processed for employment purposes.

Consumer Rights Under Virginia's VCDPA

The VCDPA grants Virginia consumers five core privacy rights under Va. Code 59.1-577. These rights allow consumers to maintain control over how their personal data is collected, used, and shared.

Right to Access and Confirm

Consumers have the right to confirm whether a controller is processing their personal data. If the controller is processing such data, the consumer has the right to access that data.

Right to Correct

Consumers can request that a controller correct inaccuracies in their personal data. The controller must consider the nature of the personal data and the purposes of the processing when responding to correction requests.

Right to Delete

Consumers may request the deletion of personal data that the controller holds about them. This includes data the consumer provided directly and data the controller obtained from other sources.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and readily usable format. This allows consumers to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

Right to Opt Out

Consumers have the right to opt out of the processing of their personal data for three specific purposes:

• Targeted advertising based on personal data obtained from the consumer's activities across different businesses, websites, or applications
• Sale of personal data to third parties
• Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

How to Exercise Your Rights

To exercise any of these rights, consumers must submit a request to the controller. Controllers are required to respond within 45 days. They may extend this period by an additional 45 days when reasonably necessary, considering the complexity and number of requests.

Controllers must provide this service free of charge up to twice annually per consumer. If a request is manifestly unfounded, excessive, or repetitive, the controller may charge a reasonable fee or decline to act on the request.

If a controller declines a request, the consumer may appeal. If the appeal is also denied, the consumer can file a complaint with the Virginia Attorney General.

Business Obligations Under the VCDPA

Controllers that fall under the VCDPA must meet several requirements outlined in Va. Code 59.1-578. These obligations are designed to ensure transparency and data minimization.

Data Collection Limitations

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes. They cannot collect excessive data or use data in ways that are not reasonably necessary for the stated purpose.

Security Requirements

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. These practices must protect the confidentiality, integrity, and accessibility of personal data. The level of security must be appropriate to the volume and nature of the personal data at issue.

Privacy Notice Requirements

Controllers must provide consumers with a reasonably accessible, clear privacy notice that includes:

• The categories of personal data processed by the controller
• The purpose for processing personal data
• How consumers may exercise their rights, including the right to appeal a controller's decision
• The categories of personal data shared with third parties
• The categories of third parties with whom personal data is shared

Consent for Sensitive Data

Controllers must not process sensitive data without first obtaining the consumer's consent. This is a critical requirement. Sensitive data categories that require affirmative consent include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnoses
• Sexual orientation or citizenship status
• Genetic or biometric data for identification purposes
• Precise geolocation data

For data from a known child (under age 13), controllers must process such data in accordance with the federal Children's Online Privacy Protection Act (COPPA).

Data Protection Assessments

Under Va. Code 59.1-580, controllers must conduct and document data protection assessments for certain processing activities. These assessments are required for:

• Processing personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling where the profiling presents a foreseeable risk of harm
• Processing sensitive data
• Any processing activities involving personal data that present a heightened risk of harm to consumers

Each assessment must identify and weigh the benefits of the processing against the potential risks to consumer rights. The assessment must also identify safeguards the controller has put in place to reduce risks.

The Attorney General may request these assessments during an investigation. They are considered confidential and exempt from the Virginia Freedom of Information Act.

Processor Obligations

Data processors have specific duties under Va. Code 59.1-579. A processor must:

• Adhere to the instructions of the controller
• Assist the controller in meeting its obligations, including responding to consumer rights requests
• Maintain confidentiality with respect to personal data
• Delete or return all personal data to the controller at the end of the service relationship
• Make available all information necessary to demonstrate compliance

Controllers and processors must enter into a written contract that governs the processor's data processing activities. This contract must include clear instructions for processing, the nature and purpose of the processing, the type of data being processed, and the duration of the processing.

Children's Data Protections

Virginia has enacted progressively stronger protections for children's data through several VCDPA amendments.

Children Under 13 (Known Child Protections)

Under amendments effective January 1, 2025 (SB 361/HB 707), controllers face additional restrictions when processing personal data from a known child under age 13. Unless the controller first obtains parental consent in accordance with COPPA, they are prohibited from:

• Processing a known child's personal data for targeted advertising
• Selling a known child's personal data
• Profiling a known child in ways that produce legal or similarly significant effects

Controllers also cannot collect precise geolocation data from a known child unless it is reasonably necessary to provide the service and the controller provides an active signal indicating collection is occurring.

Social Media Restrictions for Minors Under 16

Effective January 1, 2026, Va. Code 59.1-577.1 imposes specific requirements on social media platforms regarding minors under age 16:

• Platforms must use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor
• Platforms must limit a minor's use of the platform to one hour per day per service or application
• A parent may provide verifiable parental consent to increase or decrease this daily time limit
• Platforms must use age data exclusively for age determination purposes
• Platforms cannot degrade service or increase prices for users who do not consent to extended use

In February 2026, Virginia Attorney General Jay Jones announced that his office intends to fully enforce these new provisions, beginning with 30-day cure notices to non-compliant platforms.

Trade association NetChoice filed a federal lawsuit in November 2025 in the Eastern District of Virginia challenging these time restrictions on First Amendment and Commerce Clause grounds. A decision remains pending as of early 2026.

Reproductive and Sexual Health Data Protections

Effective July 1, 2025, Virginia enacted protections for reproductive and sexual health information through amendments to the Virginia Consumer Protection Act. This law requires entities to obtain consumer consent before collecting, disclosing, selling, or disseminating personally identifiable reproductive or sexual health information.

The law uses a broad definition of reproductive and sexual health information. It impacts companies operating in health and wellness industries. Unlike the VCDPA's main enforcement mechanism, these reproductive health provisions include a private right of action, allowing consumers to sue directly.

VCDPA Enforcement and Penalties

Attorney General Enforcement

Under Va. Code 59.1-584, the Virginia Attorney General has exclusive authority to enforce the VCDPA. There is no private right of action under the VCDPA itself (though reproductive health provisions have separate enforcement).

Before taking action, the Attorney General must provide the controller or processor with a written notice identifying the specific provisions believed to be violated. The business then has a 30-day cure period to correct the violation and provide the Attorney General with a written statement confirming that the violation has been cured and that no further violations will occur.

If the business fails to cure within 30 days, the Attorney General may bring an action seeking:

• An injunction to restrain violations
• Civil penalties of up to $7,500 per violation
• Reasonable expenses, including attorney fees and investigative costs

Penalty Summary Table

Violation Type	Maximum Penalty	Enforcement Authority	Private Right of Action
VCDPA violation (per violation)	$7,500	VA Attorney General	No
Data breach notification failure	$150,000 per breach	VA Attorney General	Limited (economic damages)
Reproductive health data violation	Varies	VA Attorney General + private suit	Yes

Current Enforcement Activity

As of early 2026, the Virginia Attorney General has not announced any public VCDPA enforcement settlements or penalties. However, the AG's Consumer Privacy Unit is actively receiving and investigating complaints. The AG's office has signaled aggressive enforcement of the new social media restrictions for minors that took effect January 1, 2026.

Virginia Data Breach Notification Law

Separate from the VCDPA, Virginia's data breach notification law at Va. Code 18.2-186.6 requires notification when personal information is compromised.

What Triggers a Notification

An entity must notify affected individuals when unencrypted or unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person and the breach causes or is reasonably believed to cause identity theft or other fraud.

Personal information that triggers notification includes a consumer's first name or initial plus last name combined with any of the following:

• Social Security number
• Driver's license or state identification card number
• Financial account number, credit card, or debit card number (combined with any required security code, access code, or password)
• Passport number
• Military identification number

Who Must Be Notified

Entities must notify:

• Each affected Virginia resident without unreasonable delay
• The Virginia Attorney General's office

The notification must describe the incident in general terms, the types of personal information compromised, protective measures taken by the entity, a contact phone number, and advice for the consumer to monitor accounts and review credit reports.

Notification Timing

Notice must be provided without unreasonable delay. It may be delayed to determine the scope of the breach and restore system integrity. Law enforcement may also request delays if notification would impede a criminal or civil investigation or national security.

Breach Notification Penalties

The Attorney General may impose civil penalties of up to $150,000 per breach or series of breaches of a similar nature discovered in a single investigation. Individuals may also recover direct economic damages resulting from the failure to notify.

Other Virginia Privacy Provisions

De-Identified Data Requirements

Under Va. Code 59.1-581, controllers possessing de-identified data must take reasonable measures to ensure data cannot be associated with a natural person. They must also publicly commit to maintaining and using the data without attempting to re-identify it, and contractually require any recipients to comply with the same requirements.

Right to Delete Exemption (HB 381 Amendment)

A 2025 amendment created an exemption for controllers that obtain personal data from sources other than the consumer directly. These controllers can comply with deletion requests by either maintaining a minimal record of the deletion request while keeping the data deleted, or by opting consumers out of processing for non-exempt purposes.

Consumer Privacy Fund Changes

Legislation (SB 534, HB 714) redirected enforcement collections from the former dedicated Consumer Privacy Fund to the state treasury, credited to the Regulatory, Consumer Advocacy, Litigation and Enforcement Revolving Trust Fund. This change affected funding mechanisms but not company obligations.

How the VCDPA Compares to Other State Privacy Laws

Virginia's VCDPA shares many features with privacy laws in other states but has several notable distinctions:

• No private right of action: Unlike California's CCPA, the VCDPA does not allow consumers to sue businesses directly for violations (except for reproductive health data)
• No opt-in for data sales: Virginia uses an opt-out model rather than requiring opt-in consent for data sales
• 30-day cure period: Businesses get 30 days to fix violations before facing penalties, a more business-friendly approach than some states
• Narrower applicability: The thresholds (100,000 consumers or 25,000 consumers plus 50% revenue from data sales) are higher than some states
• Stronger children's protections: Virginia's social media time limits for minors are among the most aggressive in the nation

More Virginia Laws

Explore additional Virginia legal guides on Recording Law:

• Virginia Recording Laws
• Alabama Data Privacy Laws
• California Data Privacy Laws
• Colorado Data Privacy Laws
• Connecticut Data Privacy Laws
• Texas Data Privacy Laws
• View All State Data Privacy Laws

The information on this page is for general informational purposes only and does not constitute legal advice. Data privacy laws change frequently. For advice about your specific situation, consult a licensed attorney in Virginia.