US: Virginia passes comprehensive consumer data protection law

Author: Jim Halpert

Virginia’s Governor signed the Virginia Consumer Data Protection Act (“VCDPA”) into law on March 2, 2021.  The VCDPA takes effect January 1, 2023 and is a broad, multi-rights privacy law that, in some ways, resembles the CCPA, GDPR, and other recently proposed state privacy legislation.  A study committee will review the VCDPA this summer and may prepare clarifications for the legislature to consider next year.

VCDPA applicability

The VCDPA applies to entities that conduct business in Virginia or produce products or services that are targeted to residents of Virginia (“consumers”) and that

  • during a calendar year, control or process personal data of at least 100,000 consumers, or
  • control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Notably, while the CCPA specifies a revenue threshold as part of the applicability determination, the VCDPA instead hinges on the number of consumers that have personal data processed by an entity.  The VCDPA does not apply to the following types of entities: Virginia state agencies; financial institutions or data subject to Title V of GLBA; covered entities or business associates governed by HHS’s HIPAA and HITECH rules; nonprofits; or higher education institutions.

Key provisions

Similar to rights provided by other comprehensive privacy laws, the VCDPA will provide consumers with the right to access, correct, delete, obtain a copy of their personal data, and to opt out of targeted advertising, sales, and a subset of profiling activities that produce legal or similarly significant effects.  Unlike the CCPA and GDPR, the VCDPA does not provide any of these rights to individuals acting in a commercial (e.g., business-to-business) or employment context.

In addition, the VCDPA imposes privacy compliance obligations on “controllers,” such as the requirement to provide a privacy notice that specifies the categories of personal data processed, the purpose for processing personal data, the categories of personal data that the controller shares with third parties, the categories of third parties with whom the controller shares personal data, and how consumers may exercise their consumer rights.  Other key requirements include:

  • an opt-in requirement to process sensitive personal data;
  • mandatory data protection impact assessments for the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects on a consumer, as well as any processing that presents “heightened risk of harm to consumers;”
  • a mandatory internal right of appeal process for a controller’s denials of consumer rights requests; and
  • specific requirements on processors to be accountable to controllers.


The VCDPA does not provide or provide a basis for a private right of action to consumers.  The Attorney General instead has the exclusive authority to enforce the law and may seek damages up to $7,500 for each violation (as well as an injunction and attorneys’ fees).

You may find the full text of the law here:

Please contact Jim Halpert if you have any questions about the VCDPA or what the new law means for your business.