Virginia Consumer Data Protection Act

Posted: February 25 2026

The Virginia Consumer Data Protection Act (“VCDPA”) is a state law that provides residents of the Commonwealth of Virginia privacy rights when dealing with businesses that collect, use, and sell their personal information. 

History

2021 

The Virginia Consumer Data Protection Act (“VCDPA”), SB1392, was passed by the Virginia Senate in February of 2021 and was accompanied by HB2307 in the Virginia House of Delegates. After reconciliation between the House and Senate bills, the VCDPA was signed into law in March 2021 by Governor Ralph Northam.  

2023 

The VCDPA went into effect on January 1, 2023.1 

2025 

In 2025, the VCDPA was amended to include provisions limiting screentime for children under 16.2 

Scope

Who 

The Virginia Consumer Data Protection Act (“VCDPA”) is intended to protect personal data of consumers - residents of Virginia who are not acting in a commercial or employment context.

The VCDPA applies to entities that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth of Virginia and that do one or more of the following: 

  • controls or processes personal data of at least 100,000 consumers in a calendar year, or
  • controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data in a calendar year.3 

The VCDPA distinguishes between controllers and processors.4 A controller is an entity that alone, or jointly with others determines how personal data is processed.5 A processor is an entity that processes personal data on behalf of a controller.6

The VCDPA imposes restrictions and obligations on the relationship between controllers and processors – requiring that the contracts between controllers and processors set forth the following: 

  • the nature and purpose of processing,
  • the type of data subjects involved,
  • the duration of processing,
  • rights and obligations of both parties,
  • requirements for processor confidentiality,
  • obligation to return or delete data upon request or at the end of the services,
  • obligation for contracts with subcontractors to meet the requirements of the processor with respect to personal data, and
  • the ability to demonstrate compliance with these contractual requirements.7 

What 

Personal Data 

The VCDPA provides individuals rights of access, deletion, and control when interacting with businesses that collect and sell (or share) their personal data. These rights are granted to individuals who are consumers – a person who is a resident of the Commonwealth of Virginia acting in an individual or household context, not a commercial or employment context.8

Sensitive Data 

Sensitive data is a type of personal data that includes any personal data that reveals:

  • racial or ethnic origin,
  • religious beliefs,
  • mental or physical health diagnosis,
  • sexual orientation,
  • citizenship of immigration status,
  • genetic information,
  • biometric data generated by automatic measurement of a biological characteristic that is used to identify a person such as fingerprint, voiceprint, retina scan, or iris scan,
  • personal data of children (someone younger than 13 years of age),9or
  • precise geolocation data (information that directly identifies the specific location of a person within a radius of 1,750 feet).10 

These types of data are considered sensitive because misuse, loss, or unauthorized disclosure of the data can have a more significant impact on data subjects than with other types of personal data. For example, this data can lead to discrimination, financial loss, identity theft, or reputational damage. Under the VCDPA, sensitive data may not be processed without obtaining consent from the data subject.11 

If the data concerns a child, parental consent can be given in accordance with the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.).12 Consent must be:

  • Freely given, meaning the consent is given voluntarily,
     
  • Specific, meaning the consent is given for a clearly defined purpose, 

  • Informed, meaning the data subject is provided an explanation of how the data will be processed, and 

  • Unambiguous, meaning it is clear the data subject has consented (e.g., by clicking “I agree”).  

Social Media Platform Time Limits 

The VCDPA requires that controllers or processors operating social media platforms limit the use of social media platforms for minors under the age of 16 years to one hour per day unless parental consent is obtained to increase or decrease the daily time limit.13 Such consent must be freely given, specific, informed, and unambiguous.14 

Exemptions 

Law Enforcement 

Controllers are not required to comply with the VCDPA when: 

  • doing so would restrict their ability to comply with federal, state, or local laws, rules, or regulations or to comply with civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; or
  • cooperating with law-enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.15 

Commonwealth and Political Subdivisions 

The VCDPA does not apply to any body, authority, board, bureau, commission, district, or agency of the Commonwealth of Virginia or of any political subdivision of the Commonwealth.16 

Employment Data 

The VCDPA does not apply to data processed for job applicants, employees, or contractors to the extent that data is used within the context of that role. Nor does it apply to emergency contact information or data necessary to administer benefit benefits of applicants, employees, or contractors.17 

Deidentified Data 

The VCDPA includes an exemption for deidentified data.18  

Deidentified data is data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person.19 Controllers possessing deidentified data must:

  • take steps to ensure that the data cannot be linked back to an individual,
  • publicly commit to not attempting to reidentify the data, and
  • contractually obligate any recipients of the deidentified data to not attempt to reidentify the data.20

Personal Data Covered Under Other Law 

The following data is exempt from the VCDPA:21 

  • Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA)
  • Health records for the purposes of Title 32.1 of the Code of Virginia, which covers health related services.
  • Patient Identifying Information for the purposes of 42 U.S.C. § 290dd-2, which covers confidentiality of records related to substance abuse and mental health services.
  • Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46, which governs research involving human subjects.
  • Identifiable private information that is collected as part of human subjects research pursuant to the “Good Clinical Practice” guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or for the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, which govern research involving human subjects.
  • Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.)
  • Collection, maintenance, disclosure, sale, communication, or use of personal data bearing on a consumer's credit worthiness to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.)
  • Data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.)
  • Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.)
  • Personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.)
  • Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.) 

Higher Education 

The VCDPA does not apply to higher education institutions.22 

Publicly Available Data 

The VCDPA does not apply to publicly available information.23 Publicly available information is: 

  • information that is lawfully made available through federal, state, or local government records, or
  • information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information.24 

Rights

Residents of the Commonwealth of Virginia have several rights under the VCDPA:25 

  • Right to Know
  • Right to Correct
  • Right to Delete
  • Right to Opt Out
  • Right to Opt In for Sensitive Data
  • Right to Not Be Discriminated Against 

Right to Know 

Consumers have the right to know whether a controller is processing their personal data and what personal data is being processed about them.26 This includes the right to obtain a copy of their data in a format that is portable such that the consumer can transmit the data to another controller without hindrance.27 

Additionally, this right is embodied in the various disclosures that businesses must make in their privacy notice. The notice must include: 

  • the categories of personal data processed by the controller,
  • the purpose for processing personal data, including a disclosure of any sale of personal data or targeted advertising,
  • how consumers can exercise their rights,
  • the categories of personal data that the controller shares with third parties, and
  • the categories of third parties with whom the controller shares personal data.28 

Right to Correct 

Consumers have the right to request that a controller correct inaccuracies in the consumer’s personal data.29 

Right to Delete 

Consumers have the right to request that a controller delete any personal data provided by the consumer or obtained about the consumer.30 

Right to Opt Out 

Consumers have the right to opt out of a controller processing their personal data for the purpose of targeted advertising, the sale of personal data, or consumer profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.  

Targeted advertising is when a controller displays advertisements to a consumer where the advertisements are selected based on the consumer’s personal data that has been obtained over time and from across non-affiliated websites or online applications and is used to predict the consumer's preferences or interests.31 Targeted advertising does not include:

  • advertisements based on activities within a controller's own websites or online applications,
  • advertisements based on the context of a consumer's current search query or current visit to a website or online application,
  • advertisements directed to a consumer in response to the consumer's request for information or feedback, or
  • personal data processed solely for measuring or reporting advertising performance.32

Sale of data is when a controller exchanges personal data with a third party for monetary consideration.33 Sale does not include the disclosure of: 

  • disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • disclosure or transfer of personal data to an affiliate of the controller or that is made as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or
  • disclosure of information that the consumer intentionally made available to the general public.34 

Profiling is when a controller uses automated processing on personal data to evaluate, analyze, or predict personal aspects related to a consumer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.35 

Right to Opt In for Minors 

Controllers may not process personal data of children under the age of 13 for targeted adverting, cannot sell such personal data, and cannot use that personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning the child unless the controller has obtained consent from the child’s parent or legal guardian in accordance with the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.).36 

Right to Opt In for Sensitive Data 

Controllers may not process sensitive data without obtaining consent from the consumer. Accordingly, the consumer has the right to not have their sensitive data processed unless they have opted into such processing.37 Such consent must be freely given, specific, informed, and unambiguous.38 

Right to Not Be Discriminated Against 

Consumers have the right for their personal data to not be processed in violation of state and federal laws that prohibit unlawful discrimination.39 Consumers also have the right to not be discriminated against by a controller for exercising their consumer rights.40 A controller cannot deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods and services to the consumer because that consumer exercised their VCDPA rights.41  

However, the VCDPA does not prevent a controller from offering different prices, rates, levels, qualities, or selections of goods or service if such difference is unrelated to the consumer’s assertion of their consumer rights.42 

Exercising Rights 

A consumer may exercise their rights to know, correct, delete, or opt out under the VCDPA by submitting a request to the controller that specifies the right they wish to invoke.43  

Within the controller’s privacy notice, the controller must describe one or more means by which a consumer can submit a request to exercise their consumer rights.44 This mechanism cannot require the creation of a new account to exercise the consumer’s rights.45 

A controller must respond to the consumer’s request within 45 days of receipt and may request additional information needed to authenticate the consumer and their request.46 If reasonably necessary due to the complexity or quantity of consumer requests, the controller may extend their response period by 45 days so long as the controller notifies the consumer within the initial 45-day period of such extension and provides a reason for the extension.47 

Furthermore, a controller must provide information in response to a consumer request free of charge, up to two times per year.48 If a consumer’s requests are unfounded, excessive, or repetitive, the controller may charge a reasonable administrative fee or refuse to act on the request.49 A controller may also refuse the request if they cannot reasonably authenticate the consumer.50 

Controllers must establish an appeals process for a consumer to appeal any refusal by the controller to take action on a request.51 

Enforcement

The Attorney General of the Commonwealth of Virginia has sole authority to enforce the provisions of the VCDPA.52 The Attorney General must first issue a written notice of violation to a controller or processor and provide the controller or processor 30 days to cure the violation.53 If the controller or processor fails to cure the violation during the 30-day period, the Attorney General may pursue an injunction and issue a civil penalty of up to $7,500 for each violation.54 Civil penalties and related expenses and attorney fees are credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.55 

Notes

  1. VA. Code Ann. § 59.1-580
  2. VA. Code Ann. § 59.1-577.1
  3. VA. Code Ann. § 59.1-576
  4. VA. Code Ann. § 59.1-575
  5. VA. Code Ann. § 59.1-575
  6. VA. Code Ann. § 59.1-575
  7. VA. Code Ann. § 59.1-579
  8. VA. Code Ann. § 59.1-576
  9. VA. Code Ann. § 59.1-575
  10. VA. Code Ann. § 59.1-575
  11. VA. Code Ann. § 59.1-578
  12. VA. Code Ann. § 59.1-578
  13. VA. Code Ann. § 59.1-577.1
  14. VA. Code Ann. § 59.1-575
  15. VA. Code Ann. § 59.1-582
  16. VA. Code Ann. § 59.1-576
  17. VA. Code Ann. § 59.1-576
  18. VA. Code Ann. § 59.1-581
  19. VA. Code Ann. § 59.1-575
  20. VA. Code Ann. § 59.1-581
  21. VA. Code Ann. § 59.1-576
  22. VA. Code Ann. § 59.1-576
  23. VA. Code Ann. § 59.1-575
  24. VA. Code Ann. § 59.1-575
  25. VA. Code Ann. § 59.1-577
  26. VA. Code Ann. § 59.1-577
  27. VA. Code Ann. § 59.1-577
  28. VA. Code Ann. § 59.1-578
  29. VA. Code Ann. § 59.1-577
  30. VA. Code Ann. § 59.1-577
  31. VA. Code Ann. § 59.1-575
  32. VA. Code Ann. § 59.1-575
  33. VA. Code Ann. § 59.1-575
  34. VA. Code Ann. § 59.1-575
  35. VA. Code Ann. § 59.1-575
  36. VA. Code Ann. § 59.1-578
  37. VA. Code Ann. § 59.1-578
  38. VA. Code Ann. § 59.1-575
  39. VA. Code Ann. § 59.1-578
  40. VA. Code Ann. § 59.1-578
  41. VA. Code Ann. § 59.1-578
  42. VA. Code Ann. § 59.1-578
  43. VA. Code Ann. § 59.1-577
  44. VA. Code Ann. § 59.1-577
  45. VA. Code Ann. § 59.1-577
  46. VA. Code Ann. § 59.1-577
  47. VA. Code Ann. § 59.1-577
  48. VA. Code Ann. § 59.1-577
  49. VA. Code Ann. § 59.1-577
  50. VA. Code Ann. § 59.1-577
  51. VA. Code Ann. § 59.1-577
  52. VA. Code Ann. § 59.1-576
  53. VA. Code Ann. § 59.1-576
  54. VA. Code Ann. § 59.1-576
  55. VA. Code Ann. § 59.1-576