VCDPA Compliance Checklist for Businesses (2026)

Businesses that process the personal data of Virginia residents face a detailed stack of controller duties under the Virginia Consumer Data Protection Act (VCDPA), Va. Code Ann. sections 59.1-575 through 59.1-585. This nine-step checklist walks through every obligation, from the threshold self-test to processor contracts and enforcement exposure, so you can identify gaps before the Attorney General's 30-day notice letter arrives.

For a plain-language overview of what the VCDPA requires, see the companion explainer.

Step 1: Run the Applicability Self-Test

You are a covered controller under the VCDPA if your business operates in Virginia and clears either of two numerical thresholds. The first threshold is processing the personal data of at least 100,000 Virginia consumers during a calendar year. The second, lower-volume threshold applies to businesses that process data of at least 25,000 consumers AND derive more than 50 percent of gross revenue from selling personal data. Va. Code Ann. section 59.1-576(A).

Notice what the VCDPA does not include: there is no minimum annual revenue floor. Any size business can be covered if it clears the consumer-count thresholds. If neither threshold applies today, revisit the test annually as your data footprint grows, because crossing a threshold mid-year does not trigger retroactive liability but does mean obligations attach for subsequent processing.

Key questions to ask

• How many unique Virginia residents appear in your systems during the calendar year (across all products, services, and website visitors)?
• Do you sell personal data to third parties? If so, what percentage of total gross revenue does that represent?
• Do you do business in Virginia, even if your company is incorporated or headquartered elsewhere?

If your honest answers put you above 100,000 consumers, or above 25,000 with a data-sale revenue majority, proceed through the remaining steps. Otherwise the VCDPA does not apply, but document that conclusion in case the AG or a partner ever asks.

Step 2: Confirm Whether an Entity or Data Exemption Applies

Even if your business clears the numerical threshold, entire entity classes are expressly exempt from the VCDPA under Va. Code Ann. section 59.1-576(B). Exempt entities include nonprofit organizations; financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act; HIPAA-covered entities and their business associates; higher education institutions; and government bodies.

Beyond entity-level exemptions, specific categories of data are excluded from the VCDPA's requirements under section 59.1-576(C), regardless of who holds them. Those data-category carve-outs include: protected health information regulated under HIPAA; consumer credit data regulated by the Fair Credit Reporting Act; education records protected under FERPA; personal data collected or processed under COPPA for children under 13; driver's license and motor vehicle record information governed by the Driver's Privacy Protection Act; and employment data processed solely in the employment context.

How to apply the dual-check

The entity exemption and the data exemption are independent. A HIPAA-covered hospital is exempt as an entity across the board. A technology company that is not HIPAA-covered may still hold some HIPAA-regulated data streams (if it processes data on behalf of covered entities as a business associate), which are exempt at the data level even though the company itself is not entity-exempt.

The practical step: for each data stream you process, ask (a) does an entity exemption remove the whole organization? and (b) even if the organization is covered, does a data-category exemption remove this specific data type? Apply both checks before treating any stream as VCDPA-regulated.

Step 3: Audit Your Data Minimization and Security Practices

Two foundational controller duties apply once the VCDPA governs your processing. First, you must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed, as those purposes were disclosed to the consumer. Va. Code Ann. section 59.1-578(A)(1). You cannot collect more than you need, and you cannot later repurpose data in ways that are materially incompatible with the original collection purpose without obtaining fresh consent.

Second, you must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data you process. Va. Code Ann. section 59.1-578(A)(3). The statute does not prescribe specific controls, but the reasonableness standard is calibrated to scale: a company processing five million sensitive records faces a higher burden than one managing 110,000 basic contact records.

Practical audit steps

• Map all personal data flows: what you collect, where it is stored, who can access it, and how long you retain it.
• Compare the collection scope against the disclosed purposes in your current privacy notice. Close any gap.
• Review your security program against the volume and sensitivity of data you hold. Document the assessment.
• Establish a data retention schedule so data is deleted when it is no longer necessary for disclosed purposes.

Step 4: Identify Sensitive Data and Obtain Opt-In Consent

The VCDPA's most important departure from a pure opt-out framework is its requirement for affirmative opt-IN consent before processing sensitive data. This consent must be obtained before processing begins, not offered as a post-collection opt-out. Va. Code Ann. section 59.1-578(A)(5).

The VCDPA defines sensitive data at section 59.1-575 to include: data revealing racial or ethnic origin; religious beliefs; mental or physical health diagnoses; sexual orientation or gender identity; citizenship or immigration status; genetic data; biometric data processed for the purpose of uniquely identifying a natural person; personal data collected from a known child; and precise geolocation data (typically defined as latitude and longitude within a radius sufficient to identify a home address or other specific location).

Steps for sensitive data compliance

Go through each sensitive category and ask whether any of your products, analytics tools, advertising platforms, health questionnaires, or user profiles touch that category. The list is broader than many businesses expect: a wellness app that asks users to log mental health symptoms, a retail loyalty program that collects precise GPS coordinates, and an HR system that records gender identity all involve sensitive data.

For each sensitive data stream you identify, you need a granular, informed opt-in consent mechanism that: (1) clearly describes what sensitive data is being collected; (2) explains the purpose of processing; and (3) provides a genuine choice to decline without losing the core service (to the extent possible). Bundled consent or pre-checked boxes will not satisfy an affirmative opt-in standard.

For personal data collected from children who are known to be under 13, the VCDPA requires compliance with COPPA's verifiable parental consent rules, not merely a generic opt-in.

Step 5: Update Your Privacy Notice

Controllers must make their privacy notice reasonably accessible and clear. Va. Code Ann. section 59.1-578(C) specifies that the notice must disclose: (1) the categories of personal data the controller processes; (2) the purpose or purposes of that processing; (3) how consumers may exercise their five rights under the VCDPA and how to appeal a denied request; (4) the categories of personal data the controller shares with third parties; and (5) the categories of third parties with whom the controller shares personal data.

If you sell personal data to third parties or process it for targeted advertising, you must also add a clear and conspicuous disclosure of that practice and the manner in which a consumer may exercise their opt-out right. Va. Code Ann. section 59.1-578(D). A buried one-line sentence in a 10,000-word privacy policy is unlikely to satisfy "clear and conspicuous."

Privacy notice checklist

Required element	Covered?
Categories of personal data processed
Purposes of processing
How to submit a consumer rights request
How to appeal a denied request (with AG contact)
Categories of data shared with third parties
Categories of third parties receiving data
Sale or targeted-advertising disclosure (if applicable)
Opt-out mechanism for sale and targeted advertising (if applicable)

Review your notice against each row above. If any cell is blank, update the notice before your next compliance review date.

For a detailed walkthrough of each consumer right, including access, correction, deletion, portability, and opt-out, see the consumer rights under the VCDPA spoke.

Step 6: Conduct and Document Data Protection Assessments

Written Data Protection Assessments (DPAs) are mandatory for five categories of processing under Va. Code Ann. section 59.1-580(A):

1. Processing personal data for targeted advertising
2. Selling personal data
3. Processing personal data for profiling that produces legal or other similarly significant effects on consumers
4. Processing sensitive data
5. Any other processing that presents a reasonably foreseeable heightened risk of harm to consumers

Each assessment must document the benefits flowing from the processing activity, the potential risks to consumer rights and interests, and the safeguards in place to reduce those risks. The statute directs controllers to weigh benefits against risks in light of the use of de-identified data, consumer expectations, and the context of the processing relationship. Va. Code Ann. section 59.1-580(C).

Scope and timing rules

One assessment may cover a comparable set of processing operations rather than requiring a separate document for every individual campaign or data-sharing agreement. However, the DPA requirement applies only to processing activities created or generated after January 1, 2023. Va. Code Ann. section 59.1-580(G). You do not need to retroactively assess processing activities that were fully set up before that date, but any new or materially modified processing since then requires an assessment.

AG demand and confidentiality

The Attorney General may request completed assessments via a civil investigative demand to evaluate compliance. Va. Code Ann. section 59.1-580(D). Completed assessments are confidential under Virginia's Freedom of Information Act and retain any attorney-client privilege or work-product protections that would otherwise apply. Keep completed DPAs on file and treat them as attorney-sensitive documents from the outset.

What a DPA should contain

A defensible DPA typically includes: a description of the processing activity and the data involved; the legitimate business purpose or benefit; a risk analysis identifying the types of consumer harm that could result (financial, reputational, physical, discriminatory); the safeguards and mitigating controls in place; and a conclusion weighing whether benefits outweigh residual risks. There is no prescribed format in the statute, but the AG's ability to demand these documents means vague or boilerplate assessments carry real risk.

Step 7: Execute Processor Contracts

Every vendor, service provider, or other third party that processes personal data on your behalf must be governed by a binding written controller-processor contract before they begin processing. Va. Code Ann. section 59.1-579(B).

At minimum, the contract must specify: the instructions for processing personal data; the nature and purpose of the processing; and the type of personal data subject to processing. Those three elements define the scope of the processor's authorized activity.

Mandatory contract provisions

Beyond the scope elements, the contract must require the processor to:

• Maintain confidentiality: All personnel who access personal data must be subject to binding confidentiality obligations.
• Delete or return data: Upon termination or request, the processor must delete or return all personal data to the controller.
• Demonstrate compliance: The processor must provide information sufficient for the controller to verify its compliance with the VCDPA.
• Cooperate with audits: The processor must submit to and cooperate with reasonable audits or independent third-party assessments of its practices.
• Flow down to sub-processors: Any sub-processors the processor engages must be bound by a written contract meeting equivalent obligations.

Vendor inventory

Before drafting or updating contracts, build a complete vendor inventory. List every third party that touches personal data you control: cloud infrastructure providers, analytics vendors, marketing platforms, payment processors, CRM tools, and any SaaS platforms that ingest data from your systems. Each relationship either qualifies as a processor (acting under your instructions) or a third party (with its own controller role), and the distinction determines whether a DPA or a data-sharing agreement is the correct instrument.

Step 8: Build Consumer Request Workflows and Appeal Mechanisms

Virginia consumers have five rights under the VCDPA: the right to know what personal data a controller holds about them; the right to correct inaccuracies; the right to delete their data; the right to obtain a portable copy of their data; and the right to opt out of sale, targeted advertising, and certain profiling. Va. Code Ann. section 59.1-577.

Controllers must respond to authenticated requests within 45 days. One extension of up to an additional 45 days is permitted if the controller notifies the consumer within the initial period that additional time is needed and explains why.

The appeal requirement

If you deny a request, you must inform the consumer of the reason and provide them with a process to appeal the decision. If the appeal is also denied, you must provide the consumer with information about how to contact the Attorney General to submit a complaint. This two-tier appeal chain must be described in your privacy notice under the "how to exercise rights" section required by section 59.1-578(C).

The appeal mechanism is not optional and is not satisfied by a generic "contact us" email address. Build a dedicated, documented appeals process with written denials, documented reasoning, and a clear AG referral step.

For full detail on each right, request timelines, and how to authenticate requests without overcollecting identity data, see the companion consumer rights under the VCDPA spoke.

Step 9: Understand Enforcement, the Cure Period, and Penalty Exposure

The VCDPA is enforced exclusively by the Virginia Attorney General. There is no private right of action. Va. Code Ann. section 59.1-584(A) and (E). No individual consumer, plaintiff's law firm, or class can sue your company for a VCDPA violation. That said, AG-only enforcement is not a safe harbor.

The 30-day cure period

Before filing an enforcement action, the AG must give a controller or processor 30 days' written notice identifying the specific provisions alleged to have been violated. Va. Code Ann. section 59.1-584(B). If you cure the violation within that 30-day window and provide written confirmation of the cure, the AG may not bring an enforcement action for that specific violation.

The cure period does not have a sunset date in the current statute. Unlike some other state privacy laws that phase out cure periods after a fixed number of years, Virginia's cure period remains available as of the current text of the law.

Penalty exposure

If the 30-day cure period expires without a satisfactory cure, the AG may seek: injunctions requiring compliance; civil penalties of up to $7,500 per violation; and recovery of reasonable expenses including attorney fees. Va. Code Ann. section 59.1-584(C) and (D).

The per-violation structure is significant. A single marketing campaign that processes sensitive data without opt-in consent for 50,000 Virginia consumers does not produce one violation; depending on how the AG counts violations, it could produce 50,000. Build compliance before you receive notice, not after.

Compliance program elements

• Designate an internal owner for VCDPA compliance with documented authority and budget.
• Maintain a compliance calendar: annual applicability threshold review, privacy notice review, DPA review for new processing activities, and vendor contract audit.
• Train staff who handle personal data on the sensitive-data consent rules, the consumer request workflows, and escalation procedures.
• Keep all DPAs, processor contracts, and consent records in a documented, retrievable system. If the AG sends a civil investigative demand, you need to produce these within a short window.

For the full Virginia data privacy law overview, including how the VCDPA compares to other state privacy laws, see the parent page.

Related guides

• What Is the VCDPA? Virginia's Data Privacy Law Explained
• VCDPA Consumer Rights: Exercise Your Virginia Privacy Rights
• Virginia Data Privacy Laws: VCDPA Consumer Rights Guide (2026)
• Virginia Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources

• Va. Code Ann. section 59.1-575 (VCDPA Definitions). https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-575/
• Va. Code Ann. section 59.1-576 (VCDPA Scope and Exemptions). https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-576/
• Va. Code Ann. section 59.1-577 (Consumer Rights). https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-577/
• Va. Code Ann. section 59.1-578 (Controller Duties; Transparency). https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-578/
• Va. Code Ann. section 59.1-579 (Processor Obligations; Contracts). https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-579/
• Va. Code Ann. section 59.1-580 (Data Protection Assessments). https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-580/
• Va. Code Ann. section 59.1-584 (Enforcement; Civil Penalty). https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-584/