Virginia Data Privacy Laws: VCDPA Consumer Rights Guide (2026)

Virginia's Consumer Data Protection Act (VCDPA), codified at Va. Code Ann. sections 59.1-575 through 59.1-585, took effect January 1, 2023, making Virginia the second state to enact a comprehensive consumer data privacy law. The VCDPA gives residents rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising, data sales, and profiling. Enforcement rests exclusively with the Virginia Attorney General, with no private right of action under the core statute.

Since its 2021 passage, the Virginia General Assembly has amended the VCDPA to add children's data protections, clarify nonprofit exemptions, and modify consumer rights. A July 2025 law added separate privacy protections for reproductive and sexual health information. A 2025 social media time-limit law for minors took effect January 1, 2026 but was blocked by a federal preliminary injunction on February 27, 2026. This guide covers Virginia's full data privacy framework as it stands in 2026.

What Is the Virginia Consumer Data Protection Act (VCDPA)?

The VCDPA is Virginia's comprehensive consumer data privacy law. Governor Ralph Northam signed it on March 2, 2021, and it became effective on January 1, 2023. The law is codified at Va. Code Title 59.1, Chapter 53.

The VCDPA gives Virginia consumers specific rights over their personal data and imposes obligations on businesses that collect and process consumer data. The Virginia Attorney General's office has published a consumer summary explaining the law's key provisions.

Unlike California's privacy law, the VCDPA does not create a private right of action for core violations. Only the Virginia Attorney General can enforce the main statute. This distinction matters for both consumers and businesses operating in Virginia.

Key Definitions Under the VCDPA

The VCDPA defines several important terms that determine how the law applies. Under Va. Code 59.1-575, the key definitions include:

Personal data means any information that is linked or reasonably linkable to an identified or identifiable natural person. This does not include de-identified data or publicly available information.

Sensitive data receives heightened protection under the law. It includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data used for identification purposes, personal data from a known child, and precise geolocation data.

Consumer means a natural person who is a Virginia resident acting in an individual or household context. The definition excludes people acting in a commercial or employment context.

Controller means the natural or legal person that determines the purposes and means of processing personal data. A processor means an entity that processes personal data on behalf of a controller.

Biometric data means data generated by automatic measurements of biological characteristics, such as fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns used to identify a specific individual. Digital photographs, video or audio recordings, and HIPAA-covered health care data are excluded from this definition.

Precise geolocation data means information that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet.

Who Must Comply with the VCDPA?

The VCDPA applies to entities that conduct business in Virginia or produce products or services targeted to Virginia residents and meet one of two thresholds under Va. Code 59.1-576:

1. Control or process the personal data of at least 100,000 Virginia consumers during a calendar year, OR
2. Control or process the personal data of at least 25,000 Virginia consumers AND derive over 50% of gross revenue from the sale of personal data.

Unlike some state privacy laws, the VCDPA has no revenue-only threshold. A large retailer with high revenue but few Virginia consumers may not be covered. A data broker with modest revenue but significant data volumes likely is covered.

Who Is Exempt from the VCDPA?

The following entities are not subject to the VCDPA:

• Virginia state agencies and political subdivisions
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
• Nonprofit organizations (including political organizations and certain 501(c)(4) entities, per 2022 amendments by SB 534 and HB 714)
• Institutions of higher education

Certain data categories are also exempt regardless of who holds them. These include data regulated under the Fair Credit Reporting Act (FCRA), the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act (FERPA), and data processed for employment purposes.

Consumer Rights Under the VCDPA

The VCDPA grants Virginia consumers five core privacy rights under Va. Code 59.1-577. These rights allow consumers to maintain control over how their personal data is collected, used, and shared.

Right to Access and Confirm

Consumers have the right to confirm whether a controller is processing their personal data. If the controller is processing such data, the consumer has the right to access that data.

Right to Correct

Consumers can request that a controller correct inaccuracies in their personal data. The controller must consider the nature of the personal data and the purposes of the processing when responding to correction requests.

Right to Delete

Consumers may request the deletion of personal data that the controller holds about them. This right applies to data the consumer provided directly and to data the controller obtained from other sources.

Under a 2022 amendment (HB 381), controllers that obtained personal data from sources other than the consumer may satisfy a deletion request by either maintaining a minimal record of the request while keeping the data deleted, or opting the consumer out of all processing for non-exempt purposes.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and readily usable format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

Right to Opt Out

Consumers have the right to opt out of the processing of their personal data for three specific purposes:

• Targeted advertising based on personal data obtained from activities across different businesses, websites, or applications
• Sale of personal data to third parties
• Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

Universal Opt-Out Mechanism note: Virginia does not currently require controllers to honor browser-based universal opt-out signals such as the Global Privacy Control (GPC). This distinguishes the VCDPA from Colorado and Connecticut, which do require GPC recognition. Virginia consumers must submit opt-out requests directly to each controller.

How to Exercise Your Rights

To exercise any of these rights, consumers must submit a request to the controller. Controllers must respond within 45 days. They may extend this period by an additional 45 days when reasonably necessary, considering the complexity and number of requests.

Controllers must provide this service free of charge up to twice annually per consumer. If a request is manifestly unfounded, excessive, or repetitive, the controller may charge a reasonable fee or decline to act on the request.

If a controller declines a request, the consumer may appeal. If the appeal is also denied, the consumer can file a complaint with the Virginia Attorney General.

Business Obligations Under the VCDPA

Controllers that fall under the VCDPA must meet several requirements outlined in Va. Code 59.1-578. These obligations are designed to ensure transparency and data minimization.

Data Collection Limitations

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes. They cannot collect excessive data or use data in ways that are not reasonably necessary for the stated purpose.

Security Requirements

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data. These practices must protect the confidentiality, integrity, and accessibility of personal data.

Privacy Notice Requirements

Controllers must provide consumers with a reasonably accessible, clear privacy notice that includes:

• The categories of personal data processed by the controller
• The purpose for processing personal data
• How consumers may exercise their rights, including the right to appeal a controller's decision
• The categories of personal data shared with third parties
• The categories of third parties with whom personal data is shared

Consent for Sensitive Data

Controllers must not process sensitive data without first obtaining the consumer's consent. Sensitive data categories requiring affirmative consent include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnoses
• Sexual orientation or citizenship status
• Genetic or biometric data for identification purposes
• Precise geolocation data

For data from a known child under age 13, controllers must process such data in accordance with the federal Children's Online Privacy Protection Act (COPPA).

Data Protection Assessments

Under Va. Code 59.1-580, controllers must conduct and document data protection assessments for certain processing activities. These assessments are required for:

• Processing personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling where profiling presents a foreseeable risk of harm
• Processing sensitive data
• Any processing activities that present a heightened risk of harm to consumers

Each assessment must weigh the benefits of the processing against the potential risks to consumer rights and identify safeguards to reduce risks. The Attorney General may request these assessments during an investigation. They are confidential and exempt from the Virginia Freedom of Information Act.

Processor Obligations

Data processors have specific duties under Va. Code 59.1-579. A processor must:

• Adhere to the instructions of the controller
• Assist the controller in meeting its obligations, including responding to consumer rights requests
• Maintain confidentiality with respect to personal data
• Delete or return all personal data to the controller at the end of the service relationship
• Make available all information necessary to demonstrate compliance

Controllers and processors must enter into a written contract governing the processor's data processing activities. This contract must include instructions for processing, the nature and purpose of the processing, the type of data being processed, and the duration of the processing.

Children's Data Protections

Virginia has enacted progressively stronger protections for children's data through amendments to the VCDPA.

Children Under 13: Known Child Protections (Effective January 1, 2025)

Under amendments enacted by Governor Youngkin on May 17, 2024 (SB 361/HB 707), controllers face additional restrictions when processing personal data from a known child under age 13. Unless the controller first obtains parental consent in accordance with COPPA, they are prohibited from:

• Processing a known child's personal data for targeted advertising
• Selling a known child's personal data
• Profiling a known child in ways that produce legal or similarly significant effects

Controllers also cannot collect precise geolocation data from a known child unless it is reasonably necessary to provide the service and the controller provides an active signal indicating collection is occurring throughout the duration of collection.

Social Media Restrictions for Minors Under 16 (SB 854): Status as of May 2026

Virginia enacted SB 854, adding Va. Code 59.1-577.1, which imposed requirements on social media platforms regarding users under age 16. The law took effect January 1, 2026, and would have required platforms to:

• Determine whether users are minors using commercially reasonable methods
• Limit minor users to one hour per day per service or application
• Allow parents to adjust this time limit via verifiable parental consent

On November 17, 2025, NetChoice filed suit in the U.S. District Court for the Eastern District of Virginia, challenging the law on First Amendment and dormant Commerce Clause grounds. On February 27, 2026, U.S. District Judge Patricia Tolliver Giles granted a preliminary injunction blocking enforcement of the law. The court found that NetChoice was likely to succeed on the merits, particularly because the statute's content-based exemptions (for news, sports, gaming, and entertainment platforms) rendered the law a content-based speech restriction. Virginia Attorney General Jason Miyares has appealed the injunction to the Fourth Circuit.

The social media time-limit provisions of SB 854 are currently not being enforced while the litigation proceeds.

Reproductive and Sexual Health Data Protections (Effective July 1, 2025)

Governor Youngkin signed SB 754 on March 24, 2025. The law amends the Virginia Consumer Protection Act to prohibit certain entities from obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without consumer consent, effective July 1, 2025.

Several features distinguish SB 754 from the VCDPA:

• Broader applicability: The law applies to any "supplier" engaged in consumer transactions, not just to entities meeting the VCDPA's data-volume thresholds.
• Broader data scope: Protected information includes not only directly collected health data but also data derived, extrapolated, or inferred from non-health-related information, such as proxy, derivative, algorithmic, or emergent data.
• Consent standard: Consent must be a clear affirmative act that is freely given, specific, informed, and unambiguous.
• Private right of action: Unlike core VCDPA violations, SB 754 violations allow consumers to sue directly. Actual damages are available; willful violations allow treble damages plus reasonable attorney fees and court costs. The Attorney General may also seek injunctions and civil penalties for willful violations.

VCDPA Enforcement and Penalties

Attorney General Enforcement

Under Va. Code 59.1-584, the Virginia Attorney General has exclusive authority to enforce the VCDPA. There is no private right of action for violations of the core statute.

Before taking enforcement action, the Attorney General must provide the controller or processor with written notice identifying the specific provisions believed to be violated. The business then has a 30-day cure period to correct the violation and provide the Attorney General with a written statement confirming that the violation has been cured and that no further violations will occur.

Virginia's cure period is permanent, with no sunset provision. This distinguishes Virginia from Colorado, where the cure period expired January 1, 2025, and Connecticut, which eliminated its cure period. Businesses operating in multiple states should not assume Virginia has followed those states' enforcement tightening.

If the business fails to cure within 30 days, the Attorney General may seek:

• An injunction to restrain violations
• Civil penalties of up to $7,500 per violation
• Reasonable expenses, including attorney fees and investigative costs

Enforcement Activity as of 2026

Virginia Attorney General Jason Miyares has not publicly announced any VCDPA enforcement settlements or civil penalty actions as of May 2026. However, the AG's Consumer Privacy Unit is actively receiving complaints and investigating potential violations. On January 28, 2025, AG Miyares issued a public statement on Data Privacy Day highlighting Virginians' consumer data rights and urging consumers to file complaints with the Consumer Privacy Unit.

The AG's defense of SB 854's social media provisions against the NetChoice injunction reflects continued attention to digital privacy matters, though the core VCDPA enforcement record remains thin compared to California's CPPA.

Penalty Summary Table

Virginia Data Breach Notification Law

Separate from the VCDPA, Virginia's data breach notification law at Va. Code 18.2-186.6 requires notification when personal information is compromised.

What Triggers a Notification

An entity must notify affected individuals when unencrypted or unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person and the breach causes or is reasonably believed to cause identity theft or other fraud.

Personal information that triggers notification includes a consumer's first name or initial plus last name combined with any of the following:

• Social Security number
• Driver's license or state identification card number
• Financial account number, credit card, or debit card number combined with any required security code, access code, or password
• Passport number
• Military identification number

Who Must Be Notified

Entities must notify each affected Virginia resident without unreasonable delay and must also notify the Virginia Attorney General's office. The notification must describe the incident, the types of personal information compromised, protective measures taken, a contact phone number, and advice for consumers to monitor accounts and review credit reports.

Notification Timing

Notice must be provided without unreasonable delay. It may be delayed to determine the scope of the breach and restore system integrity. Law enforcement may also request delays if notification would impede a criminal or civil investigation.

Breach Notification Penalties

The Attorney General may impose civil penalties of up to $150,000 per breach or series of breaches of a similar nature discovered in a single investigation. Individuals may also recover direct economic damages resulting from a failure to notify.

Recent Developments: What Changed in 2024-2026

Several developments have materially changed Virginia's privacy landscape since the VCDPA's January 2023 effective date.

Children's Data Amendments (SB 361/HB 707, effective January 1, 2025): Virginia added targeted restrictions on processing data from known children under 13, requiring parental consent before using such data for advertising, sales, or profiling.

Reproductive Health Data Law (SB 754, effective July 1, 2025): A standalone consumer protection amendment created the broadest reproductive and sexual health data privacy protections in Virginia's history, with a private right of action, treble damages, and applicability beyond VCDPA thresholds.

Social Media Time Limits for Minors (SB 854, effective January 1, 2026, enforcement blocked): Virginia enacted one-hour daily limits for minor users of social media platforms, but a federal court granted a preliminary injunction on February 27, 2026, blocking enforcement pending appeal.

Virginia AI Act Vetoed (March 24, 2025): Governor Youngkin vetoed HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act, which would have created obligations for developers and deployers of high-risk AI systems including anti-discrimination assessments. Virginia has no comprehensive AI regulation as of May 2026.

AG Miyares on Privacy Day (January 28, 2025): AG Miyares publicly highlighted consumer data rights and urged Virginians to file complaints with the Consumer Privacy Unit, signaling continued attention to the law even without public enforcement actions.

Federal Overlay: Laws That Apply in Virginia

Virginia consumers and businesses must account for several federal privacy laws that operate alongside the VCDPA.

TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025): This federal law criminalizes the nonconsensual publication of intimate images and AI-generated sexual deepfakes. Platform takedown obligations, requiring removal of flagged content within 48 hours, became effective May 19, 2026. The Federal Trade Commission enforces compliance with civil penalties up to $53,088 per violation. Covered platforms that received formal warning letters from FTC Chairman Andrew Ferguson include Meta, Apple, Microsoft, TikTok, Reddit, Snapchat, and X.

HIPAA: Covered entities and their business associates in Virginia are subject to HIPAA's Privacy Rule (45 C.F.R. Part 164) and Security Rule. HIPAA-covered entities are exempt from the VCDPA for data processed in their HIPAA-regulated capacity, but Virginia's SB 754 reproductive health law may impose independent consent requirements on some health-adjacent services that are not HIPAA-covered entities.

GLBA: Financial institutions subject to the Gramm-Leach-Bliley Act are exempt from the VCDPA. The FTC's Safeguards Rule (16 C.F.R. Part 314, updated 2023) continues to apply.

FCRA and FACTA: Consumer reporting agencies and furnishers in Virginia operate under the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act. FCRA-regulated data is exempt from VCDPA coverage.

COPPA: Operators of websites or online services directed to children under 13 must comply with the Children's Online Privacy Protection Act (15 U.S.C. 6501 et seq.), enforced by the FTC. The VCDPA's known-child provisions operate in coordination with, not as a replacement for, COPPA.

FTC Act Section 5: The Federal Trade Commission may bring deception and unfairness actions against entities that violate privacy promises or fail to maintain reasonable data security, regardless of VCDPA applicability. This provides a federal baseline that applies to Virginia companies below VCDPA thresholds.

APRA status: The American Privacy Rights Act, a bipartisan federal comprehensive privacy bill introduced in 2024, expired at the end of the 118th Congress in January 2025 without being enacted. As of May 2026, no comprehensive federal privacy legislation has been reintroduced. The VCDPA therefore remains in force without federal preemption.

Practical Compliance Steps for Businesses

Businesses that meet VCDPA thresholds or anticipate reaching them should take the following steps.

Determine applicability: Confirm whether you process personal data of 100,000 or more Virginia consumers, or 25,000 or more while deriving more than 50% of revenue from data sales. Review exemptions, particularly GLBA, HIPAA, nonprofit status, and FERPA.

Update your privacy notice: The VCDPA requires a clear, accessible privacy notice disclosing categories of personal data, purposes, third-party sharing, and how to submit consumer rights requests. The notice must explain how consumers can appeal a denied request.

Build a consumer rights workflow: You need a documented process to receive, verify, and respond to access, correction, deletion, portability, and opt-out requests within 45 days (extendable to 90 days with notice).

Audit sensitive data flows: Identify all processing of sensitive data categories, particularly precise geolocation, biometric, genetic, health, and known-child data. Confirm you have affirmative consent mechanisms in place before any processing.

Conduct data protection assessments: Document assessments for targeted advertising, data sales, profiling, sensitive data, and any high-risk processing. Keep them confidential and available for AG review.

Execute processor contracts: Review all vendor agreements. Contracts with data processors must comply with Va. Code 59.1-579, including instructions, purpose limitations, and post-termination data return or deletion.

Review children's data practices: If you operate services likely to reach known children under 13, implement COPPA-compliant parental consent before processing their data for advertising, sales, or profiling.

Monitor the SB 854 litigation: If you operate a social media platform that would be covered by the one-hour daily limit law, watch the Fourth Circuit appeal in NetChoice v. Miyares. Enforcement remains blocked, but the outcome of the appeal will determine whether compliance is required.

Establish a TAKE IT DOWN Act process: Covered platforms must have a 48-hour notice-and-removal process for nonconsensual intimate imagery as of May 19, 2026. FTC enforcement is active.

How the VCDPA Compares to Other State Privacy Laws

Virginia's VCDPA shares many features with privacy laws in other states but has several notable distinctions:

• No private right of action for core violations: Unlike California's CCPA, the VCDPA does not allow consumers to sue businesses directly (except for reproductive health data under SB 754)
• No opt-in for data sales: Virginia uses an opt-out model rather than requiring opt-in consent for data sales
• Permanent cure period: Virginia's 30-day cure period has no sunset; Colorado's expired January 1, 2025 and Connecticut's has been eliminated
• No UOOM/GPC obligation: Virginia does not require controllers to honor browser-based universal opt-out signals
• No dedicated privacy agency: The Virginia AG, not a dedicated agency like California's CPPA, handles all enforcement
• Narrower applicability thresholds: The 100,000-consumer or 25,000-plus-50%-revenue test is relatively high; smaller data processors may not be covered

Other Virginia Laws and Related Guides

Explore additional Virginia and data privacy legal resources on Recording Law:

• Virginia Recording Laws
• Alabama Data Privacy Laws
• California Data Privacy Laws
• Colorado Data Privacy Laws
• Connecticut Data Privacy Laws
• Texas Data Privacy Laws
• View All State Data Privacy Laws

More Virginia Laws

• Virginia AI Meeting Recording Laws
• Virginia Alimony Laws
• Virginia At-Will Employment Laws
• Virginia Car Accident Laws
• Virginia Car Seat Laws
• Virginia Child Custody Laws
• Virginia Child Support Laws
• Virginia Common Law Marriage Laws
• Virginia Deepfake Laws
• Virginia Divorce Laws
• Virginia Dog Bite Laws
• Virginia Emancipation Laws
• Virginia Expungement Laws
• Virginia Hit and Run Laws
• Virginia Landlord-Tenant Laws
• Virginia Lemon Laws

The information on this page is for general informational purposes only and does not constitute legal advice. Data privacy laws change frequently. For advice about your specific situation, consult a licensed attorney in Virginia.

In-depth guides

• What Is the VCDPA? Virginia's Data Privacy Law Explained
• VCDPA Consumer Rights: Exercise Your Virginia Privacy Rights
• VCDPA Compliance Checklist for Businesses (2026)