Continue your mission
Virginia comprehensive privacy law establishing consumer data rights, controller obligations, and data protection assessment requirements for organizations targeting Virginia residents.
The Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023, is a comprehensive state privacy law establishing consumer rights over personal data and imposing obligations on controllers and processors that conduct business in Virginia or target Virginia residents. The VCDPA applies to entities controlling or processing personal data of at least 100,000 Virginia consumers or 25,000 consumers while deriving over 50% of revenue from data sales.
The VCDPA grants consumers five rights: the right to access their personal data, the right to correct inaccuracies, the right to delete personal data, the right to data portability in a usable format, and the right to opt out of processing for targeted advertising, sale of personal data, and profiling with significant effects. Controllers must limit data collection to what is adequate, relevant, and reasonably necessary (data minimization), establish reasonable security practices, conduct data protection assessments for processing activities that present heightened risk (targeted advertising, sale of data, profiling, sensitive data processing), and obtain opt-in consent before processing sensitive data including racial origin, religious beliefs, health diagnosis, sexual orientation, citizenship status, genetic data, biometric data, children's data, and precise geolocation. Controllers must provide clear privacy notices and establish mechanisms for consumers to exercise their rights. The Virginia Attorney General has exclusive enforcement authority with a 30-day cure period before initiating action.
The VCDPA was the second comprehensive US state privacy law after CCPA, establishing a model that Connecticut, Colorado, Utah, and numerous other states have closely followed. Its controller-processor framework mirrors GDPR terminology, creating consistency for organizations building multi-jurisdiction compliance programs. The data protection assessment requirement introduces DPIA-like obligations to US privacy law. The VCDPA's cure period provision is scheduled for sunset review, and the Virginia Attorney General has signaled increasingly aggressive enforcement as the law matures.
CDA maps VCDPA compliance to the Data Protection and Sovereignty domain within C-BUILD campaigns. Our Rosetta Stone compliance engine tracks VCDPA alongside CCPA/CPRA, GDPR, and other state privacy laws, enabling organizations to implement unified privacy programs that satisfy multi-jurisdiction requirements through CDA's structured mission methodology.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.