Library / Jurisdictions
VCDPA

Virginia Consumer Data Protection Act

Virginia's consumer data protection law, the second comprehensive US state privacy regime, with controller/processor framing closer to GDPR than to CCPA.

At a glance
Effective
1 January 2023
Authority
Virginia Attorney General
Maximum fine
$7,500 per violation
Vendor monitoring
Required (§ 59.1-579, processor obligations)

The Virginia Consumer Data Protection Act was the second comprehensive US state privacy law (after CCPA) and the first to use controller/processor terminology rather than CCPA's business/service provider model. This makes VCDPA closer in structure to GDPR than to its California predecessor — useful for organisations already operating under GDPR.

Who it applies to

A "controller" under VCDPA is a person who, alone or jointly, determines the purpose and means of processing personal data, and:

  • Conducts business in Virginia or produces products / services targeted to Virginia residents, and
  • Either:
    • Controls or processes personal data of at least 100,000 Virginia consumers, or
    • Controls or processes personal data of at least 25,000 Virginia consumers and derives over 50% of gross revenue from sale of personal data.

Smaller-than-CCPA scope, with no revenue threshold floor.

Controller and processor obligations

VCDPA imposes:

  • Data minimisation, purpose limitation, security. Familiar GDPR concepts.
  • Privacy notice with specified contents.
  • Data Protection Assessments for high-risk processing — sale, targeted advertising, profiling with significant effects, sensitive data, processing presenting heightened risk.
  • Processor contracts with specified terms (instructions, confidentiality, security, sub-processing notice, audit cooperation).

The processor contract requirements include:

  • Confidentiality obligations on personnel.
  • Security measures appropriate to the data.
  • Engagement of subcontractors only with notice and a contract imposing equivalent obligations.
  • Cooperation with the controller's audits.
  • Deletion or return at end of engagement.

Consumer rights

Virginia consumers have:

  • Right to access, correct, delete personal data.
  • Right to data portability.
  • Right to opt out of:
    • Sale of personal data.
    • Targeted advertising.
    • Profiling in furtherance of decisions producing legal or similarly significant effects.

Response is due within 45 days, extendable by another 45.

Sensitive data

VCDPA defines a category of "sensitive data" that requires opt-in consent:

  • Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status.
  • Genetic or biometric data processed for the purpose of uniquely identifying a natural person.
  • Personal data of a known child.
  • Precise geolocation data.

This list is narrower than GDPR's special categories but broadly aligned.

What vendor monitoring looks like under VCDPA

The structural similarity to GDPR means GDPR-style monitoring largely satisfies VCDPA. Specific things to track:

  • Subprocessor (subcontractor) changes. VCDPA requires the processor to notify the controller and grant the controller an opportunity to object.
  • Privacy notice changes affecting consumer rights pathways or sensitive-data handling.
  • Sale and targeted advertising flags — vendors that update their notices to indicate they sell or share data, or use it for targeted advertising, change the controller's compliance posture.

Enforcement

The Attorney General has exclusive enforcement authority — no private right of action. There is a 30-day cure period for first-time violations. Enforcement to date has been measured, with informal resolution preferred over public enforcement actions for most matters.

Related references