What Is the VCDPA? Virginia's Data Privacy Law Explained

The Virginia Consumer Data Protection Act (VCDPA), codified at Va. Code Ann. §§ 59.1-575 through 59.1-584, took effect January 1, 2023, making Virginia the second state in the nation to enact a comprehensive consumer data privacy law. It gives Virginia residents specific rights over their personal data and imposes obligations on businesses that meet coverage thresholds.

As of 2026, the Virginia Attorney General actively enforces the VCDPA and has warned businesses to expect scrutiny over data practices affecting Virginia consumers.

What the VCDPA is: statute, enactment, and background

The VCDPA is Virginia's comprehensive consumer data privacy statute, codified at Va. Code Ann. §§ 59.1-575 through 59.1-584 (Chapter 53 of Title 59.1). Governor Ralph Northam signed Senate Bill 1392 on March 2, 2021, giving businesses a nearly two-year runway before the law took effect on January 1, 2023. That timeline made Virginia the second state in the country, after California, to enact a broad consumer data privacy regime.

The law governs how covered businesses must collect, use, and disclose the personal data of Virginia residents. Its architecture leans more on the EU's General Data Protection Regulation (GDPR) than on California's CCPA: it uses a controller-processor framework, requires data protection assessments for high-risk processing, and most significantly, mandates affirmative opt-in consent for sensitive data rather than an opt-out mechanism. The statute defines "personal data" broadly as any information linked or reasonably linkable to an identified or identifiable natural person, while carving out de-identified data and publicly available information.

For the full compliance framework covering controller obligations, data processor contracts, and enforcement history, see the Virginia data privacy laws parent page.

Who the VCDPA covers: applicability thresholds and exemptions

The VCDPA reaches for-profit entities that do business in Virginia or target Virginia residents and meet either of two volume thresholds. Under Va. Code Ann. § 59.1-576(A), a business is covered if it: (1) controls or processes personal data of at least 100,000 Virginia consumers during a calendar year, or (2) controls or processes personal data of at least 25,000 Virginia consumers and derives more than 50% of gross revenue from selling personal data.

A critical distinction from some other state laws is that the VCDPA sets no minimum annual revenue threshold. A small startup that handles the data of 100,000 Virginia users is covered on exactly the same basis as a Fortune 500 company. The law's coverage trigger is entirely volume-based.

The exemptions in Va. Code Ann. § 59.1-576(B) are substantial. The following are not subject to the VCDPA:

• Nonprofit organizations
• Institutions of higher education
• Government bodies
• HIPAA-covered entities and their business associates
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Data already regulated by federal statutes, including the Family Educational Rights and Privacy Act (FERPA), the Fair Credit Reporting Act (FCRA), and the Driver's Privacy Protection Act (DPPA)

These exemptions mean that health systems, banks, credit unions, universities, and charities operate largely outside the VCDPA's reach, even if they handle large volumes of Virginia resident data.

The five consumer rights under the VCDPA

Virginia residents can exercise five enumerated rights against covered controllers under Va. Code Ann. § 59.1-577(A)(1)-(5):

1. Right to access. A consumer may confirm whether a controller is processing their personal data and request a copy of that data.
2. Right to correct. A consumer may require a controller to correct inaccurate personal data, taking into account the nature and purpose of the processing.
3. Right to delete. A consumer may request deletion of personal data the consumer provided or that the controller otherwise collected about them.
4. Right to portability. A consumer may obtain a copy of their personal data in a portable, readily usable format that allows transfer to another controller.
5. Right to opt out. A consumer may opt out of processing for three specific purposes: targeted advertising, the sale of personal data, and profiling that produces a legal or similarly significant effect on the consumer.

Under Va. Code Ann. § 59.1-577(B), controllers have 45 days to respond to a rights request. They may extend this period once by an additional 45 days when reasonably necessary, provided they notify the consumer within the initial 45-day window. That means the maximum response time is 90 days with proper notice.

Controllers that deny a request must inform the consumer how to appeal the decision. The consumer must then have a reasonable period to appeal, and the controller must respond to the appeal within 60 days, with a written explanation if the appeal is denied.

For a detailed walkthrough of how to submit requests and what businesses are required to do with each, see the VCDPA consumer rights spoke.

Sensitive data and the opt-in consent requirement

One of the VCDPA's most distinctive features is its opt-in consent standard for sensitive data. Under Va. Code Ann. § 59.1-578(A)(5), a controller shall not process sensitive data about a consumer without first obtaining the consumer's affirmative consent. This is an active, prior agreement, not a default-on setting with an opt-out link.

Sensitive data is defined at Va. Code Ann. § 59.1-575 to include:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status
• Genetic or biometric data processed for the purpose of uniquely identifying a natural person
• Personal data collected from a known child
• Precise geolocation data

The opt-in requirement matters most in practice for health apps, identity verification services, location-based services, and platforms serving younger users. Before any of those categories of data can be processed, the controller must obtain a clear yes from the consumer, not merely provide a way to say no later.

This standard is meaningfully stricter than the CCPA/CPRA, which requires only that businesses provide a "Limit the Use of My Sensitive Personal Information" link and honor opt-out requests. The VCDPA's approach is closer to GDPR Article 9, which requires explicit consent for special-category data.

For children's data specifically, a 2024 amendment reinforced the baseline. HB 707 (effective January 1, 2025) added a prohibition on collecting precise geolocation data from a known child under 13 unless the data is reasonably necessary for the service, and requires that parental consent align with the Children's Online Privacy Protection Act (COPPA). Controllers cannot condition access on consent to non-necessary processing of a child's data.

VCDPA enforcement: AG-exclusive, 30-day cure, up to $7,500 per violation

Enforcement of the VCDPA belongs entirely to the Virginia Attorney General. Va. Code Ann. § 59.1-584 expressly states that "nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of this chapter or under any other law." Individual consumers cannot sue businesses directly for VCDPA violations, no matter how serious the breach of their rights.

Before filing any enforcement action, the AG must give the controller or processor written notice identifying the specific alleged violation and a 30-day period to cure it. If the business cures the violation and delivers a written statement of compliance within that window, no action may be brought for that violation. The cure period is not optional for the AG: it is a statutory prerequisite.

If the violation is not cured, or if the business violates again after providing a written cure statement, the AG may seek:

• Civil penalties of up to $7,500 for each violation
• Injunctive relief
• Reasonable expenses, attorney fees, and costs

Penalty proceeds are deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund under Va. Code Ann. § 59.1-584.

The $7,500-per-violation cap is identical to the penalty under the CCPA for intentional violations, though the VCDPA applies it to every violation rather than reserving the higher amount for deliberate misconduct. For a business that denies thousands of consumer requests improperly, the per-violation exposure can accumulate quickly.

Controllers should also note the data protection assessment requirement at Va. Code Ann. § 59.1-580: covered processing activities including targeted advertising, data sales, certain profiling, and sensitive data processing must be documented in a data protection assessment before the activity begins. The AG may request these assessments during an investigation, making them both a compliance obligation and an enforcement target.

For a step-by-step guide to what businesses must do to avoid a violation notice, see the VCDPA compliance checklist spoke.

VCDPA vs. CCPA: three key differences

The two most-compared U.S. state privacy laws differ on several points that matter practically. Our state privacy law comparison page covers more states, but here are the three sharpest distinctions between the VCDPA and California's CCPA:

Consent standard for sensitive data. The VCDPA requires affirmative opt-in consent before a controller may process sensitive personal data (Va. Code Ann. § 59.1-578(A)(5)). The CCPA/CPRA uses an opt-out model: businesses may process sensitive personal information unless and until the consumer exercises a "Limit the Use" right under Cal. Civ. Code § 1798.121. In practice, opt-in means the default is no processing; opt-out means the default is yes unless the consumer acts.

Private right of action. The CCPA includes a limited private right of action for consumers whose nonencrypted and nonredacted personal information is exposed in a data breach caused by a business's failure to implement reasonable security procedures. The VCDPA has no private right of action of any kind. All enforcement runs through the Attorney General.

Revenue threshold. The CCPA applies only to businesses meeting at least one of three thresholds, one of which is annual gross revenues exceeding $25 million. The VCDPA has no revenue floor. Any for-profit entity that processes data of 100,000 Virginia consumers is covered regardless of its size or revenues.

Recent VCDPA amendments: children, social media, and reproductive health data

The VCDPA has been amended three times since its 2021 enactment, each time adding significant new obligations or protections.

HB 707 (effective January 1, 2025): children's data. Governor Youngkin signed this amendment on May 17, 2024. Under the revised Va. Code Ann. § 59.1-578, controllers are prohibited from collecting precise geolocation data from a known child under 13 unless the data is reasonably necessary to provide the requested service. Controllers must also obtain parental consent consistent with COPPA before processing a child's personal data in ways that go beyond what COPPA already mandates.

SB 854 (effective January 1, 2026): social media and minors. This 2024 amendment added Va. Code Ann. § 59.1-577.1, targeting social media platforms specifically. Platforms must use commercially reasonable methods to determine whether a user is under 16. If they know or have reason to know a user is a minor under 16, they must restrict that user's daily use to one hour per day unless a parent or guardian provides consent for a longer limit. This provision is already in force as of the article date.

SB 754 (effective July 1, 2025): reproductive and sexual health data. This is where careful reading matters. SB 754 does not amend the VCDPA. It amends the Virginia Consumer Protection Act (VCPA), a separate and older consumer protection statute. The law prohibits any business from obtaining, disclosing, selling, or disseminating personally identifiable information about a consumer's reproductive or sexual health without that consumer's consent. Crucially, SB 754 includes a private right of action and applies broadly to any business operating in Virginia, not just to covered VCDPA controllers. Consumers who suffer violations of SB 754's reproductive health data protections can sue directly; they still cannot sue under the VCDPA itself.

The distinction is not a technicality. If a business is too small to be a VCDPA "controller" but still collects reproductive health data, it is nonetheless bound by SB 754. And if a consumer's reproductive health data is misused, their remedies run through the VCPA's private right of action, not through a complaint to the AG under the VCDPA.

What "personal data" and "sale" mean under the VCDPA

Understanding the VCDPA's scope requires knowing how it defines two foundational terms.

"Personal data" under Va. Code Ann. § 59.1-575 means any information that is linked or reasonably linkable to an identified or identifiable natural person. It expressly excludes de-identified data and publicly available information. The "natural person" qualifier means that business-to-business data and employee data used solely for employment purposes are not in scope (a meaningful contrast to California, which spent years debating HR data carve-outs).

"Sale of personal data" is defined as the exchange of personal data for monetary consideration by the controller to a third party. This definition is narrower than the CCPA's. The CCPA's definition of "selling" was extended by the CPRA to cover "sharing" for cross-context behavioral advertising even without payment. Under the VCDPA, a transfer without monetary consideration, such as sharing data with an advertising partner in exchange for services rather than cash, may not qualify as a "sale" triggering the opt-out right, though it would still be covered by the targeted advertising opt-out right if used for that purpose.

Controllers should not rely on the sale definition alone to determine whether opt-out rights apply. A consumer's right to opt out of "targeted advertising" is separate from their right to opt out of "sale," and both rights must be honored regardless of whether money changes hands.

Related guides

• VCDPA Consumer Rights: Exercise Your Virginia Privacy Rights
• VCDPA Compliance Checklist for Businesses (2026)
• Virginia Data Privacy Laws: VCDPA Consumer Rights Guide (2026)
• Virginia Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources