Virginia Consumer Data Protection Act (VCDPA): What You Need to Know

The new Virginia privacy law (VCDPA) is in effect. Find out who needs to comply, what rights it gives to consumers, and more in our guide.

It's commonly known our data is the new goal standard for countless companies. That data allows them the opportunity to sell it to external affiliates and vendors for advertising, sales, and marketing purposes. The more our digital footprints increase, so will the need for more significant data protection laws against the selling of personal data practices from companies.

Although there’s limited protection for consumer data nationally, some states are taking the matter into their own hands and holding companies liable for selling consumer data to third parties. Virginia is one of the several states that has begun passing and enforcing more consumer data privacy and protection regulations.

The Virginia Consumer Data Protection Act (VCDPA) was passed in March 2021 and has been in effect since January 1, 2023. The law provides more data and privacy protections for Virginia residents. It also holds businesses that conduct deceptive data-selling practices more legally accountable for their actions.

Read on to learn more of what you need to know about this new data protection law in Virginia and how its passing can aid other states to follow suit.

In this article
What is the Virginia Consumer Data Protection Act?
Who has to comply with the Virginia privacy law?
What rights does the VCDPA give consumers?
What rules do businesses need to follow under the VCDPA?
How is the VCDPA enforced?
Virginia privacy law FAQs
Bottom line

What is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act (VCDPA) is a legislative bill derived from HB 2307 and SB 1392.

The VCDPA was first presented to the state House of Delegates in January 2021. It was passed in both branches of Virginia's state legislature in February 2021, with a large majority of support from both parties. The governor of Virginia signed the act into state law in March 2021, with full enactment on January 1, 2023.

According to the legal resource website LegiScan, the main goals of the Virginia CDPA are as follows:

"The bill outlines data controllers and processors' responsibilities and privacy protection standards. The legislation provides consumers the rights to access, correct, delete, obtain a copy of personal data, and to opt out of processing personal data for targeted advertising."

The law doesn’t apply to state or local governmental organizations and contains exemptions for specific types of consumer data and information governed by federal law.

The VCDPA was developed and written based on the General Data Protection Regulation (GDPR), which was developed by the European Union (EU) and passed in 2018. The GDPR law was implemented to levy steep fines against organizations that violate its privacy and security standards.

Similarly, the VCDPA is the enforcement of data protection standards that allow the government to fine businesses violating the act.

Virginia is only the second state in the U.S. to enact a data privacy law of this kind. The only other privacy legislation currently in circulation within the U.S. is the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). It’s anticipated that, as data privacy issues continue to surface, more states will follow suit, similar to the VCDPA and CCPA.

Who has to comply with the Virginia privacy law?

You’re expected to comply with the Virginia privacy law if you operate your business in Virginia or sell products or services geared toward residents in Virginia. This law aims to protect consumer data that’s in the hands of companies that collect or store personal data, including any mobile or web applications.

Those required to comply with this law are separated into two categories: data manager and data handler.

  • Data manager: The data manager is a legal entity who sets the controls and processes for the storage, protection, and sharing of personal consumer data.
  • Data handler: The data handler is the party that handles the controls and processes of personal data on behalf of a data manager.

The Virginia privacy law also covers the following: "The bill applies to all persons that conduct business in the Commonwealth (of Virginia) and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers."

What is "personal data" under the Virginia CDPA?
According to data regulatory research site OneTrust DataGuidance, "Personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person. However, it does not include de-identified data or publicly available personal information."

Who is exempt from complying with the VCDPA?

Although there are countless businesses that are expected to comply with the VCDPA, it’s important you should first see whether your business or the data you collect is exempt from complying with this law.

The business and industry entities that may be exempt are categorized by two main factors: entity-level exemptions and data-level exemptions.

Entity-level exemptions

These focus on the industry and business that collects and stores consumer data. There are five main types of exempt entities from the Virginia CDPA:

  1. A body, authority, board, bureau, commission, district, or Virginia-based agency or any political subdivision of the Commonwealth.
  2. Any financial institution, data controller, or data processor that’s required to adhere to the Gramm-Leach-Bliley Act (GLBA).
  3. Covered entities or businesses that are subject to complying with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
  4. Nonprofit organizations.
  5. Higher education institutions such as colleges or universities.

The list above is ultimately the five most common business entities that are exempt from the VCDPA privacy law. For a more in-depth list of industry and business entity exemptions, we recommend reading a more comprehensive copy of the bill on the Virginia legislative information system website.

Data-level exemptions

These types of exemptions are often based solely on the type of consumer data that is collected and stored within these business entities. Below is a list of a few data-level exemptions not covered under the VCDPA.

  • Patient health information that’s covered under HIPAA.
  • Medical health records that are intended for the purposes of Title 32.1.
  • Data generated for the purposes of the Health Care Quality Improvement Act of 1986.
  • Employee safety work development for the Patient Safety and Quality Improvement Act objectives.
  • Private individual driver data that is gathered, managed, sold, or shared in accordance with the federal Driver's Privacy Protection Act of 1994.
  • Personal information that is controlled by the federal Family Educational Rights and Privacy Act.
  • Personal data that is compiled, processed, transferred, or shared in keeping with the federal Farm Credit Act.

What rights does the VCDPA give consumers?

The main goal of the VCDPA is to hold businesses accountable for selling consumer data and compromising consumers’ right to privacy.

Virginia consumers have a number of rights associated with the control of businesses' usage of the personal information they retain. Some of the rights written for the Virginia privacy law are similar to the California privacy law.

The following is a breakdown of the six main rights that consumers are given under the Virginia CDPA.

Right to access, correct, and delete

Businesses must grant access to data per a consumer’s request. The law also gives consumers the authority to correct inaccuracies and request the deletion of their data from business entities that control and store their information internally.

Right to data portability

Consumers have the right to receive a copy of their personal data that was previously provided to the data controller in a portable electronic format.

Right to not be discriminated against

Businesses aren’t allowed to process personal data in a method that violates state or federal anti-discrimination practices.

Right to opt-out of the sale of personal data, targeting advertising, and profiling

Consumers can opt-out of the direct sale of their personal data with the purpose of targeted advertising and certain consumer profiling.

Right to opt-in to the processing of sensitive data

The right to opt-in to the processing of sensitive data means that controllers aren’t permitted to collect or process sensitive data without obtaining the consumer's consent.

Additionally, any sensitive data concerning known juveniles may not be processed in keeping with the federal Children's Online Privacy Protection Act (COPPA).

Right to appeal

Consumers have the right to appeal a data controller's denial to act within the time set forth in the law.

What rules do businesses need to follow under the VCDPA?

Under the VCDPA there are several compliance rules that data controllers and processors are expected to follow. Below is a list of the five rules that businesses need to follow in order to maintain compliance under the Virginia CDPA:

Limitations to data use

Once the data has been collected, the law states that an entity that conducts the processing of consumers’ personal data must be limited to only those disclosed purposes.

Additionally, it states that any other uses of that consumer's personal data that might be outside of that scope will require additional consumer consent.

Technical safeguards

Similar to other data privacy laws, such as the CCPA and the EU GDPR, the Virginia law says data controllers must "establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data."

Data protection assessments

This law also requires controllers to conduct a procedure known as "data protection assessments," which evaluates the risks associated with data processing activities.

Data processing agreements

The Virginia privacy law requires businesses to have agreements in place with data processors that “clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties involved.”

Privacy policy

The act requires businesses to create and share a privacy policy with consumers that includes the categories of personal data processed and shared with third parties. In addition, the privacy notice must include information about those third parties.

How is the VCDPA enforced?

The office of the Virginia attorney general enforces the VCDPA. As stated in the bill, any investigation into the violation of the Virginia privacy act is done “whenever the Attorney General has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of this chapter, the Attorney General is empowered to issue a civil investigative demand.”

The law states that all controllers and processors have up to 30 days to act on notices of violations of the law. Businesses can request an extension of up to 45 days in order to respond to an investigation.

Data controllers and processors found to be in violation of the act are required to mitigate the violation and provide the attorney general with an “express written statement that the alleged violations have been cured and that no further violations shall occur.”

If the data controller fails to respond or fix the violation, they can be subjected to a fine of up to $7,500 per violation.

How much are VCDPA fines?
If found in violation of the VCDPA, the Virginia attorney general’s office can fine business entities up to $7,500 per violation.

Virginia privacy law FAQs


+

Is the Virginia privacy law in effect?

The Virginia privacy law was signed into law in March of 2021 and is now in effect as of January 1, 2023.


+

Which states have passed privacy laws?

In the U.S., only California has a data privacy law enforced currently. The Virginia data privacy law will be the second U.S. law of its kind to go into effect in January 2023. Several states, which include Colorado, Connecticut, and Utah, have similar laws that go into effect in the second half of 2023.


+

Can my personal data be shared without permission?

No, according to the VCDPA and other data privacy laws, written consent is required before your data can be shared. 

According to the Office of Privacy and Civil Liberties, “The general rule under the Privacy Act is that an agency cannot disclose a record contained in a system of records unless the individual to whom the record pertains gives prior written consent to the disclosure.”

Bottom line

Data privacy and protection continue to be an increasingly hot topic. Many want stricter laws and more fines against companies that sell their personal data to third parties. Additionally, these deceitful business practices also open up the opportunity for consumer data to be compromised or stolen by cybercriminals in data breaches.

If you own a business, it’s important to be aware of these data privacy laws and their requirements. Take a look at our guide to complying with GDPR to get a better idea of the steps you’ll need to take to also comply with VCDPA and other state laws.

For consumers, the good news is you don’t need to wait for your state or country to enact and enforce data privacy laws. You can take your online privacy into your own hands by changing your online privacy settings.

Author Details
Amanda is a technical content writer based in Illinois, USA. She has a Master of Science in Cybersecurity. After years of working in the tech and cybersec field, she pivoted her career to content marketing and writing within these industries.