Virginia Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Virginia does not have a standalone biometric privacy statute like Illinois's BIPA or Texas's CUBI. Instead, Virginia protects biometric data through the Virginia Consumer Data Protection Act (VCDPA), a comprehensive consumer privacy law that classifies biometric identifiers as sensitive data requiring affirmative opt-in consent.

Governor Ralph Northam signed Senate Bill 1392 into law on March 2, 2021, making Virginia the second state after California to enact a comprehensive consumer data privacy law. The VCDPA took effect on January 1, 2023.

For an overview of Virginia's broader privacy framework, see the parent guide to Virginia Data Privacy Laws.

How the VCDPA Defines Biometric Data

The VCDPA defines biometric data under Va. Code 59.1-575 as data generated by automatic measurements of an individual's biological characteristics that are used to identify a specific individual. The statute lists these examples:

• Fingerprints
• Voiceprints
• Eye retinas
• Irises
• Other unique biological patterns or characteristics

The law draws a clear boundary around what does not qualify. A physical or digital photograph, a video or audio recording, or data generated from those recordings is not biometric data under the VCDPA. Information collected, used, or stored for health care treatment, payment, or operations under HIPAA is also excluded from the definition.

This definition follows the approach used in several other state comprehensive privacy statutes, including Connecticut and Kentucky. It is narrower than the definition used in Illinois's BIPA, which covers a broader set of biometric identifiers without the same exclusions.

Sensitive Data Classification and Consent Requirements

Under the VCDPA, biometric data processed for the purpose of uniquely identifying an individual qualifies as "sensitive data." This is the highest protection category in the law.

Other categories of sensitive data under Va. Code 59.1-575 include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnoses
• Sexual orientation
• Citizenship or immigration status
• Genetic data processed for identification
• Precise geolocation data
• Personal data collected from a known child under 13

Consent requirement. Controllers must obtain a consumer's opt-in consent before processing sensitive data, including biometric data, under Va. Code 59.1-578(A)(5). This means a business cannot collect your fingerprint, faceprint, or iris scan for identification purposes without first asking for and receiving your affirmative agreement.

The VCDPA defines "consent" as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data. A buried clause in a terms-of-service agreement or a pre-checked checkbox does not meet this standard. Consent must involve a deliberate action, such as a written statement or other unambiguous affirmative act.

Who Must Comply With the VCDPA

The VCDPA applies to entities that conduct business in Virginia or produce products or services targeted to Virginia residents and meet one of these thresholds under Va. Code 59.1-576:

• Process personal data of 100,000 or more Virginia consumers during a calendar year, or
• Process personal data of 25,000 or more Virginia consumers and derive over 50% of gross revenue from the sale of personal data

The term "sale" under the VCDPA covers only exchanges for monetary consideration. This is narrower than laws in states like California, which also cover non-monetary exchanges of value.

Key Exemptions

The VCDPA carves out several categories of entities and data types from coverage under Va. Code 59.1-576:

Entity exemptions:

• Virginia state and local government agencies
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Entities covered by HIPAA
• Nonprofit organizations
• Institutions of higher education

Data exemptions:

• Protected health information under HIPAA
• Consumer credit reporting data under the Fair Credit Reporting Act (FCRA)
• Data covered by the Family Educational Rights and Privacy Act (FERPA)
• Data under the Driver's Privacy Protection Act (DPPA)

Employee data exemption. The VCDPA excludes personal data collected in an employment context from coverage. If your employer collects your fingerprints for a timekeeping system or uses facial recognition for building access, the VCDPA does not apply to that collection. Virginia has not enacted a separate law regulating employer use of biometric data, though a bill (HB 1215) proposing employer biometric data protections with a $25,000-per-violation penalty was introduced and left in committee.

Consumer Rights Over Biometric Data

Because biometric data is sensitive personal data under the VCDPA, Virginia consumers have these rights under Va. Code 59.1-577:

Right to confirm and access. You can ask any covered business whether it is processing your biometric data and request access to that data.

Right to correct. If a business holds inaccurate biometric data about you, you can request a correction.

Right to delete. You can request that a business delete the biometric data it holds about you.

Right to data portability. You can obtain a copy of your biometric data in a portable and readily usable format.

Right to opt out. You can opt out of the processing of your personal data for targeted advertising, data sales, or profiling that produces legal or similarly significant effects.

Right to non-discrimination. Businesses cannot penalize you for exercising any of these rights by denying goods or services, charging different prices, or providing a different quality of service.

Businesses must respond to consumer rights requests within 45 days under the VCDPA. They can extend this period by an additional 45 days when reasonably necessary, but must notify the consumer of the extension and the reason for it. If a business denies your request, you may appeal, and the business must respond to the appeal within 60 days. If the appeal is denied, the business must provide contact information for filing a complaint with the Virginia Attorney General.

Data Protection Assessments for Biometric Data

Controllers that process sensitive data, including biometric data, must conduct data protection assessments under Va. Code 59.1-580. These assessments apply to processing activities created or generated after January 1, 2023.

A data protection assessment must weigh the benefits of the processing against the potential risks to the consumer, including risks of:

• Unfair or deceptive treatment or unlawful disparate impact
• Financial, physical, or reputational injury
• Intrusion upon solitude or seclusion
• Other substantial injury

The Virginia Attorney General can request these assessments through a civil investigative demand. They remain confidential and exempt from public inspection under Virginia's Freedom of Information Act.

Facial Recognition Technology Restrictions

Virginia goes beyond the VCDPA with separate statutes governing government use of facial recognition technology.

State police. Under Va. Code 52-4.5, Virginia State Police can use facial recognition for 14 authorized purposes, including identifying crime suspects, locating missing persons, and detecting human trafficking. The technology must be evaluated by the National Institute of Standards and Technology (NIST) and demonstrate at least 98% true positive accuracy with minimal demographic performance variations. The statute prohibits real-time tracking of identified individuals and creating databases from live video feeds. Operators who violate these rules face Class 3 misdemeanor charges.

Local law enforcement. Under Va. Code 15.2-1723.2, local law-enforcement agencies face similar restrictions. Effective July 1, 2026, no local law-enforcement agency may purchase or deploy facial recognition technology unless expressly authorized by statute. The technology must remain under the exclusive control of the agency, and data must be kept confidential and accessible only through search warrants.

Higher education. Under Va. Code 23.1-815.1, campus police departments are also prohibited from purchasing or deploying facial recognition technology unless expressly authorized by statute, effective July 1, 2026.

Breach Notification and Biometric Data

Virginia's breach notification law at Va. Code 18.2-186.6 requires businesses to notify affected individuals and the Attorney General when a security breach compromises unencrypted personal information.

The current definition of "personal information" under the breach notification statute covers a first name or initial and last name combined with a Social Security number, driver's license number, financial account numbers, passport number, or military ID. Biometric data is not specifically listed as a triggering data element under this statute.

However, the breach notification law contains a notable provision for consumers: it explicitly preserves an individual's right to recover direct economic damages from a violation. This means that unlike the VCDPA, where enforcement is limited to the Attorney General, Virginia's breach notification statute allows a private right of action for direct economic damages resulting from a breach notification violation. Courts have entertained individual and class action lawsuits under this provision.

The Attorney General can impose civil penalties of up to $150,000 per breach or series of similar breaches discovered during a single investigation.

Enforcement and Penalties

The Virginia Attorney General has exclusive enforcement authority over the VCDPA. There is no private right of action, meaning individual consumers cannot file lawsuits against businesses for VCDPA violations.

The enforcement process works as follows:

1. The Attorney General identifies a potential violation and sends written notice identifying the specific provisions at issue
2. The business has 30 days to cure the alleged violation
3. If the business cures the violation and provides a written statement that it will not engage in further violations, the Attorney General takes no action
4. If the business fails to cure, the Attorney General can bring a civil action with penalties of up to $7,500 per violation
5. The Attorney General can also recover reasonable investigation expenses, including attorney fees

The 30-day cure period is permanent under the VCDPA. Unlike privacy laws in some other states that have removed or plan to remove their cure periods, Virginia's cure provision remains in effect.

As of early 2026, the Virginia Attorney General's office has focused enforcement activity on the VCDPA's newer provisions, including social media restrictions for minors that took effect January 1, 2026. Attorney General Jay Jones announced in February 2026 that his office intends to fully enforce these provisions.

Consumers can file complaints about potential VCDPA violations with the Virginia Attorney General's Office.

Recent and Pending Legislation

Virginia's biometric privacy landscape continues to develop:

2025 VCDPA amendments. The Virginia General Assembly amended the VCDPA to add protections for reproductive and sexual health information, effective July 1, 2025. These amendments created a new consent requirement before entities can collect, disclose, sell, or disseminate personally identifiable reproductive or sexual health information.

2026 social media provisions. SB 854, signed into law on May 2, 2025, added requirements for social media platforms to use commercially reasonable methods to determine whether users are minors under 16 and to limit minors' use to one hour per day unless a parent consents to increase the limit. These provisions took effect January 1, 2026.

Facial recognition sunset. The current frameworks for state police and local law enforcement use of facial recognition (Va. Code 52-4.5) are set to expire on July 1, 2026, with revised provisions taking effect that impose stricter authorization requirements.

Employer biometric data. Virginia has not enacted a standalone employer biometric data law. HB 1215, which would have established requirements for employer capture and destruction of biometric data with penalties up to $25,000 per violation and a private right of action, was left in committee during the 2021 session and has not been reintroduced.

How Virginia Compares to Other States

Virginia's approach to biometric privacy falls in the middle of the spectrum among U.S. states:

Stronger than states with no protections. Many states still lack any specific biometric data protections. Virginia's classification of biometric data as sensitive data requiring consent, combined with its facial recognition restrictions on government, puts it ahead of states that have no privacy framework in place.

Weaker than dedicated biometric privacy laws. States like Illinois, Texas, and Washington have standalone biometric privacy statutes with specific requirements for notice, consent, retention schedules, and data destruction. Illinois's BIPA includes a private right of action that has produced significant litigation and settlements exceeding $1 billion.

Similar to other comprehensive privacy law states. Virginia's approach closely mirrors states like Connecticut, Colorado, and Kentucky, which all classify biometric data as sensitive data within their comprehensive consumer privacy frameworks and require opt-in consent for processing.

More Virginia Laws

• Virginia Recording Laws
• Virginia Whistleblower Laws
• Virginia Data Privacy Laws
• Virginia Data Privacy Laws
• Virginia Data Privacy Laws
• Virginia Recording Laws
• Virginia Recording Laws
• Virginia Recording Laws

Sources and References

This article references Virginia statutes and official state government publications. For the full text of the VCDPA, visit the Virginia Legislative Information System. For guidance on consumer rights and filing complaints, visit the Virginia Attorney General's Office.

This article provides general legal information about Virginia biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Virginia government sources.