Skip to main content

What is the Virginia Consumer Data Protection Act?

by Chris Brook on Tuesday November 22, 2022

Contact Us
Free Demo

Learn why organizations will need to implement security practices to protect sensitive data under the Virginia Consumer Data Protection Act (VCDPA), set to go into effect in 2023.

If your company does business in Virginia, you’ll need to be aware of the Virginia Data Protection Act. Designed to give consumers greater control over their personal data, it introduces new rules and regulations that carry financial penalties for any company not in compliance. In this article, we’ll take a closer look at the act and learn what you need to know in order to stay ahead of the game.

What is the Virginia Consumer Data Protection Act?

Every state has unique data breach notification laws, and in recent years, more states are implementing new regulations requiring businesses to protect consumers’ personal information. After California implemented the California Privacy Rights Act (CPRA) of 2020, Virginia became the second state to have consumer privacy legislation when Governor Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law on March 2, 2021. Colorado followed suit with the Colorado Privacy Act, which takes effect on July 1, 2023. 

The VCDPA allows consumers to access their personal data stored by businesses and other organizations. They can also ask companies to delete their personal information.

Under VCDPA, companies are required to conduct regular data protection assessments if they collect personal data for sale or targeted advertising purposes. This act applies to entities that conduct business in Virginia and

  • control or process the personal data of more than 100,000 consumers per year; or
  • control or process the personal data of a minimum of 25,000 consumers and generate at least 50 percent of their gross revenue from that data.

Responsibilities of a Controller Under the VCDPA

According to the VCDPA, a controller is an entity that collects, stores, or processes personal data. A controller is required to perform the following actions whenever requested:

  • Provide the option to consumers to easily opt out of their data processing activities
  • Provide the consumer with access to their personal data
  • Provide a copy of data in a portable and usable format
  • Ensure that the data they collect is up to date
  • Delete personal data

Whenever a consumer makes a request to edit or delete their personal data, the controller must respond within 45 days. However, the timeline may be extended under some circumstances.

What is Protected Under the VCDPA?

Under this act, consumers have certain rights over their personal data, such as:

  • The right to access and confirm their personal data
  • The right to correct any inaccuracies in their personal data
  • The right to delete their personal data
  • The right to opt out from personal data processing for targeted advertising or sale of data
  • The right to be treated fairly for exercising any of the above rights

Companies must also obtain the consent of consumers before collecting or processing their data.

Penalties for Non-Compliance With the VCDPA

If a company is subject to the VCDPA and fails to comply, it may be subject to a substantial financial penalty. More specifically, the penalty can be up to $7,500 for each violation plus attorney’s fees. However, individual consumers cannot sue a company for VCDPA violations.

The new law also comes with a consumer privacy fund. As penalties are imposed on companies, the fund will grow, and the money collected will be used to enforce the act.

How to Comply With the VCDPA

Here are some steps your company should take to comply with the VCDPA.

  • Privacy policy: Your company needs to have an up-to-date privacy policy. This will provide consumers with the information they need to learn how your company plans to process their data.
  • An opt-out technique: Customers must be able to easily opt-out of the data collection process. For example, it could be as simple as a link that says “Click to avoid selling your personal data”. This link can be given online in the privacy policy.
  • Honor the Subject Access Request (SAR): When a consumer submits a SAR, the company must verify the identity of the consumer so that the personal information of another user is not given to someone else. Once the identity is verified, the company must respond to the SAR within 45 days.
  • Data classification: With data classification and data protection solutions, companies can quickly locate a subject’s data and comply with other privacy regulations such as SOX, HIPAA, GDPR, etc. If your company stores unstructured data that’s scattered on multiple computers, it’s important to classify and store data in the right way to comply with safety standards. 

The VCDPA covers any data collected after January 1, 2023. This gives enough lead time for businesses to update their privacy settings and implement compliance rules before the act comes into effect.

Since the new law doesn’t have any major rules regarding record-keeping processes, businesses can adopt any process. If a company is already GDPR compliant, it will already have a process to handle requests from consumers, and this should suffice in most cases.

Limitations to the VCDPA

The Virginia Consumer Protection Act doesn’t apply to state agencies, colleges, universities, non-profit organizations, and other entities that are otherwise subject to Gramm-Leach-Bliley Act.

Also, as mentioned earlier, residents of Virginia will not be able to directly sue a company for rule violations. The enforcement of the law will be controlled by the state attorney general, who will be responsible for seeking damages from companies.

The law comes with a 30-day cure period, a positive aspect for businesses. If a business receives a letter that indicates its non-compliance with the new law, they have a 30-day period to communicate with the attorney general and remedy any possible violations. 

This helps them amend their policies and avoid any potential fines. Once the necessary changes have been made, the business can issue a written statement to the attorney general that the alleged violations have been remedied and will not occur again.


The VCDPA introduces a number of changes that businesses will need to be aware of and adopt. The key points are as follows:

  • The changes come into effect on January 1, 2023.
  • Consumers have the right to review, edit and delete their personal data.
  • Consumers can opt-out of the data collection process.
  • Companies must respond to a Subject Access Request (SAR) within 45 days.
  • Companies have a 30-day right-to-cure period to resolve any non-compliance issues.

While the VCDPA might pose challenges to some, being aware of the requirements and their implications can help your business to sail through the changes ahead. 


Tags:  Data Protection Data Privacy

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.

Get the latest security insights
delivered to your inbox each week.