VCDPA Consumer Rights: Exercise Your Virginia Privacy Rights

Virginia residents have five enforceable rights over their personal data under the Virginia Consumer Data Protection Act (VCDPA): the right to access, correct, delete, port, and opt out. Companies must respond within 45 days, and if they refuse, you have a statutory right to appeal and then escalate to the Virginia Attorney General.

The VCDPA took effect January 1, 2023, and covers any business that processes the personal data of at least 100,000 Virginia consumers annually, or at least 25,000 consumers where more than 50 percent of gross revenue comes from selling personal data. If a covered business holds data about you, the rights described below apply. For a broader overview of how the law works, see Virginia Data Privacy Laws.

What the VCDPA Covers and Who It Protects

Under Va. Code Ann. § 59.1-575, a "consumer" is a natural person who is a Virginia resident acting in an individual or household capacity. The definition expressly excludes people acting in a commercial or employment context, which means data your employer holds about you as an employee is not covered by these rights.

The VCDPA applies to controllers, the businesses that determine how and why personal data is processed. Covered controllers must provide at least one secure, reliable means for you to submit rights requests under § 59.1-578(E). When you contact them, you may be asked to verify your identity using commercially reasonable methods. If the controller cannot authenticate your request despite reasonable efforts, it is not required to comply under § 59.1-577(B.4), but it may ask for additional information to verify you instead of simply refusing outright.

Your rights under § 59.1-577 do not extend to data that has been de-identified or to data processed solely for certain exempt purposes, such as research, journalism, fraud prevention, or compliance with a legal obligation. That said, most everyday consumer data held by apps, retailers, data brokers, and online services falls squarely within scope.

Your Right to Access and Confirm Processing

Under Va. Code Ann. § 59.1-577(A)(1), you can ask any covered company to confirm whether it is processing personal data about you and, if so, to give you a copy of that data. This right has two components: the confirmation right (does the company hold your data at all?) and the access right (show me what you have).

How to exercise it: Look for a "Privacy Rights," "Consumer Request," or "Data Access Request" link in the company's website footer. Submit your request through the company's designated channel. Companies must maintain at least one secure, reliable submission method under § 59.1-578(E). You may need to provide identifying information such as an email address, account number, or answers to security questions.

The company must respond within 45 days of receiving your request, or within 90 days if it notifies you of an extension before the first deadline expires. Responses are free up to twice per calendar year. If your requests become manifestly unfounded, excessive, or repetitive, the company may charge a reasonable fee or decline to act under § 59.1-577(B.3).

Your Right to Correct Inaccurate Data

Virginia Code § 59.1-577(A)(2) lets you require a correction of inaccuracies in personal data a company holds about you, taking into account the nature of the data and the purpose of processing. This right matters most for data that directly affects decisions about you, such as financial profiles, credit-adjacent data, health-related records, or contact information used for customer communications.

How to exercise it: Submit a correction request through the company's privacy rights channel. Clearly identify the specific information you believe is inaccurate and, if possible, provide supporting evidence of the correct information. The company has 45 days to respond and must tell you what action it took or why it declined to act.

The company is not required to adopt every correction you propose. The standard, "taking into account the nature of the personal data," gives the controller discretion on implementation. If a company disputes your correction, its refusal triggers the appeal right described below.

Your Right to Delete Personal Data

Under Va. Code Ann. § 59.1-577(A)(3), you can request deletion of personal data the company collected from you or obtained about you from other sources. This is the broadest erasure right the VCDPA provides, covering both data you directly supplied (account information, purchase history) and data the company acquired about you (behavioral profiles, inferred attributes).

How to exercise it: Submit a deletion request through the company's privacy portal or designated email address. Be as specific as you can about the categories of data you want deleted. The 45-day response clock starts when the company receives your authenticated request.

Deletion is not absolute. The VCDPA preserves several exemptions: a controller may retain data to complete a transaction, to detect security incidents, to exercise free speech, to comply with a legal obligation, or to carry out certain research functions. The company must tell you if it is declining your deletion request and must explain which exemption applies.

Your Right to Data Portability

Section 59.1-577(A)(4) gives you the right to obtain a copy of your personal data in a portable, machine-readable format where technically feasible. Portability lets you take your data to a competing service, archive it locally, or share it with an advisor.

How to exercise it: Request a data export through the company's privacy rights channel. Common formats include CSV, JSON, or structured spreadsheets. The "technically feasible" qualifier means the company can provide data in a reasonable format rather than a custom API; it cannot use technical complexity as an excuse to provide nothing.

As with access requests, portability responses are free up to twice per year and must arrive within 45 days. The portability right applies to data you provided to the controller and data observed about you; it does not necessarily require the company to export inferred or derived data it generated internally.

Your Right to Opt Out: Targeted Ads, Data Sales, and Profiling

Virginia Code § 59.1-577(A)(5) is the broadest VCDPA right. You can opt out of three distinct uses of your data:

1. Targeted advertising. Ads selected for you based on your behavior across different websites, apps, or services not under common ownership.
2. Sale of personal data. Transferring your data to a third party in exchange for money. Under the VCDPA, "sale" means a monetary exchange, which is narrower than California's CPRA definition.
3. Profiling in furtherance of significant decisions. Automated processing that produces legal or similarly significant effects, such as decisions affecting your credit, insurance, employment, housing, or access to essential services.

How to exercise it: Look for a "Do Not Sell My Personal Data," "Opt Out of Targeted Advertising," or "Privacy Choices" link. Companies are required to disclose these opt-out paths in their privacy notice. You must submit a separate request to each company whose data practices you want to limit. The company has 45 days to confirm it has processed your opt-out.

One critical distinction: unlike Colorado and Connecticut, Virginia does not require companies to honor the Global Privacy Control (GPC) browser signal or any universal opt-out mechanism. This is addressed in detail in the next section.

Virginia Does Not Require Companies to Honor the Global Privacy Control (GPC)

The Global Privacy Control is a browser-level signal that users can enable to automatically broadcast an opt-out preference to every website they visit. Colorado and Connecticut have enacted laws requiring controllers to recognize this signal. Virginia has not.

The VCDPA (Va. Code Ann. §§ 59.1-575 through 59.1-585) contains no mandate for controllers to recognize GPC or any other universal opt-out signal. This is a verified feature of the statute, not an oversight that will be automatically corrected. As of the 2024 Virginia legislative session, no amendment has added a GPC requirement.

What this means for you as a Virginia resident: even if you have GPC enabled in your browser, a Virginia-only controller is not legally required to treat that signal as an opt-out. To exercise your opt-out rights under the VCDPA, you must submit a request directly through each company's privacy rights portal.

For a comparison, see Colorado Data Privacy Laws, which details Colorado's approach requiring GPC recognition.

Sensitive Data: When You Must Give Opt-In Consent

For certain categories of personal data, the VCDPA flips the default: companies cannot process this data at all without your affirmative opt-in consent under Va. Code Ann. § 59.1-578(A)(5). You do not need to opt out; the opt-in must happen first.

Under § 59.1-575, sensitive data includes:

• Data revealing your racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
• Genetic data or biometric data processed to uniquely identify you
• Personal data collected from a known child
• Precise geolocation data (typically within a radius of 1,750 feet)

For data concerning known children, the controller must comply with COPPA parental consent requirements rather than simply obtaining the child's own consent.

If a company is processing your sensitive data without having obtained your affirmative consent, that is a violation of § 59.1-578(A)(5) and a basis for a complaint to the Virginia AG.

How to Submit a VCDPA Rights Request

Under Va. Code Ann. § 59.1-578(E), every covered controller must establish at least one secure and reliable submission method for privacy requests. In practice, most companies offer one or more of the following:

• An online privacy portal or webform (most common, often linked as "Privacy Rights" or "Your Privacy Choices" in the site footer)
• A dedicated email address such as privacy@company.com or dpo@company.com
• A toll-free phone number

Step-by-step process:

1. Locate the company's privacy policy or footer and find the link for consumer rights requests.
2. Select the right you want to exercise (access, correction, deletion, portability, or opt-out).
3. Provide identifying information so the company can authenticate you under § 59.1-577(B.4). This typically means your name, email address on file, and possibly account details.
4. Submit and save confirmation of your submission (screenshot or confirmation email).
5. The 45-day response clock starts from the date of authenticated receipt.

If the company cannot authenticate your request using commercially reasonable efforts, it may ask for additional verification rather than outright denying the request. You are not required to provide information beyond what is reasonably necessary for authentication.

What to Do If a Company Denies Your Request: The VCDPA Appeal Right

Virginia's appeal process is one of the most structured consumer escalation paths among state privacy laws. It operates in two steps under Va. Code Ann. § 59.1-577(C).

Step 1: Internal appeal to the controller. After you receive a denial (or no response within 45 days), you can appeal directly to the company. The company must have established a conspicuous appeal process. Submit your appeal in writing through whatever channel the company designates, typically the same privacy portal used for initial requests or a separate appeal email. There is no set form required; clearly state that you are appealing the denial, identify the original request, and explain why you believe the denial was improper.

The company must respond to your appeal in writing within 60 days of receiving it, along with a written explanation of the reasons for its decision. Note the different timelines: 45 days for initial requests, 60 days for appeals.

Step 2: Escalation to the Virginia Attorney General. If the company denies your appeal, § 59.1-577(C) requires it to provide you with an online mechanism (or another method if no online mechanism exists) through which you can contact the Virginia AG to submit a complaint. Do not skip this step; the AG contact information should come from the company with its appeal denial.

You cannot sue the company yourself. The VCDPA expressly states in § 59.1-584 that there is no private right of action. Only the Virginia AG can file enforcement actions.

How to File a Complaint with the Virginia Attorney General

After a company has denied your appeal, you can file a complaint with the Virginia AG's Consumer Protection Section.

Contact options:

• Online complaint form: https://www.oag.state.va.us/consumercomplaintform/start
• Mailing address: Office of the Attorney General, Consumer Protection Section, 202 North Ninth Street, Richmond, Virginia 23219
• Consumer hotline: 1-800-552-9963 (Virginia toll-free) or 804-786-2042

When filing, include the name of the company, the date you submitted your original request, the date you received the denial, the date you submitted your appeal, the date you received the appeal denial, and copies of any written correspondence. The more documentation you provide, the stronger your complaint file.

The AG has exclusive enforcement authority under § 59.1-584 and can seek civil penalties up to $7,500 per violation after first providing the company a 30-day opportunity to cure. While the AG cannot guarantee enforcement in every individual case, documented patterns of violations are a key trigger for AG investigations.

If the company ignored your initial request entirely without responding within 45 days, you can skip the appeal step and file a complaint directly, since there is no response to appeal.

No Retaliation: Your Right Against Discrimination

Virginia Code § 59.1-578(A)(4) prohibits controllers from penalizing you for exercising your VCDPA rights. A company cannot:

• Deny you goods or services because you submitted a privacy request
• Charge you a higher price or different rate because you opted out
• Provide you a lower quality of service because you asked for your data or requested deletion

The only limited exception is if the difference in treatment is directly and reasonably related to the value the company derives from your data. For example, a loyalty program that offers discounts in exchange for data sharing may be able to restrict those discounts to participating members, but the difference in treatment must be proportionate and disclosed upfront.

If you believe a company has penalized you for exercising your VCDPA rights, document the treatment and include it in an AG complaint.

Related guides

• What Is the VCDPA? Virginia's Data Privacy Law Explained
• VCDPA Compliance Checklist for Businesses (2026)
• Virginia Data Privacy Laws: VCDPA Consumer Rights Guide (2026)
• Virginia Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources