🆕  Migrate from OneTrust seamlessly with Ketch Switch. Exclusive offer through 4/30/2025.
The Virginia Consumer Data Protection Act (VCDPA), signed into law on March 2, 2021, and effective January 1, 2023, grants Virginia residents significant privacy rights over their personal data. These rights include the ability to access, correct, delete, and obtain copies of their personal information, as well as opt out of the sale of their data. As the second state after California to enact comprehensive consumer data privacy legislation, Virginia's VCDPA underscores the growing emphasis on data protection in the United States.
The Virginia Consumer Data Protection Act (VCDPA) distinguishes itself by adopting a GDPR-like framework, clearly defining roles for "controllers" and "processors," each with specific obligations. It also mandates opt-in consent for processing sensitive data, such as race, health, and precise geolocation information, offering stronger protections compared to many U.S. state privacy laws.Â
Unlike California’s CCPA/CPRA and the California Privacy Act, the VCDPA does not include a set of regulations or other regulatory guidance.Â
A regulation is a rule or order that is issued by a government agency to implement a law. Regulations are usually more specific than laws, and they provide guidance on how to comply with the law. So businesses only have the text of the Virginia privacy law to guide their compliance with the law.
The Virginia data privacy law introduces several critical terms that businesses and consumers need to understand, as defined in § 59.1-575 of the Code of Virginia.
‍The Virginia Consumer Data Protection Act (VCDPA) applies to entities conducting business in Virginia or targeting its residents, and that either:
The VCDPA defines “consumers” to mean Virginia residents acting only in an individual or household capacity. It does not include Virginia residents acting in a commercial or employment capacity:‍
“Consumer” means a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.
‍§ 59.1-575 of the Code of Virginia‍
‍The Virginia Consumer Data Protection Act (VCDPA) exempts certain entities and data types:
These exemptions are detailed in § 59.1-576 of the Code of Virginia.
In the absence of a comprehensive federal privacy law in the U.S., which currently relies on sector-specific regulations like COPPA, HIPAA, and GLBA, several states have initiated their own data protection legislation. Notably, Virginia became the second state, following California, to enact such measures with the Virginia Consumer Data Protection Act (VCDPA).Â
The VCDPA mostly adopts a notice and opt-out choice regime, and enables consumers to opt-out of sale, targeted advertising and profiling. Virginia also provides consumers with the right to access, correct, port and delete their data. But there are some nuances to the Virginia Consumer Data Protection Act which are worth noting.
Like most privacy and data protection laws promulgated over the past five years, Virginia has adopted a broad definition of personal information. It is designed to cover pseudonymous personal data (e.g., IP address, Mobile Advertising ID (MAID), Hashed Email (HEM)) and identifiable personal data (e.g., email or postal address, telephone number).Â
There are exemptions for “public” information and “de-identified” data. Moreover, the rules around data subject access rights do not apply to pseudonymous personal data so long as the controller is able to demonstrate that any information necessary to identify the consumer is stored separately and subject to controls that would prevent the controller from accessing the information.
Virginia mostly has a notice and opt-out choice regime. That means that you can process most types of data, so long as:
But be careful! Virginia requires opt-in consent for the processing of “sensitive information” (see below).
A data subject access request (DSAR) is a formal request from an individual (the data subject) to a company, requesting to see a copy of their personal data stored with the company.Â
The Virginia privacy law provides consumers with the right to see the data that companies have on them. Consumers then have the right to correct and/or delete that information. Consumers may also request that their personal data be provided in a form that enables the consumer to port it to a different company.Â
However, the above DSAR requests do not apply to pseudonymous personal data so long as the controller adopts certain controls to ensure that it isn’t able to identify the data subject.
The Virginia data privacy law includes an important category of data called “Sensitive Data.” Sensitive Data is modeled on “special category” data in EU data protection law. It includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child.
Virginia requires opt-in consent prior to processing sensitive data. Collecting potentially sensitive data will likely require some adjustments to many companies’ data taxonomy and data governance ruleset.
The VCDPA utilizes the GDPR terms for controller (i.e., controls the means of processing) and processor (i.e., takes direction from the controller). Similar to California’s CCPA, the VCDPA uses the term “third party” to designate any entity that is NOT a consumer, controller, processor, or an affiliate of the processor or the controller.
Like some other states, Virginia places guard rails around how companies may process data. The expectation is for companies to only collect data that is absolutely necessary (“data minimization”) and to store it for as little time as possible (“data retention”).
Virginia requires companies that engage in certain types of processing activities (e.g., sales, certain profiling, targeted ads, use of sensitive data) to complete Privacy Assessments (PAs): systematic evaluations of their data collection and use practices with an eye towards identifying risks and minimizing or eliminating those risks.
The VCDPA suggests a data processing agreement (DPA) between controllers and processors. The purpose of a DPA is to outline how the parties plan to ensure that their intra-party data transfers are compliant with privacy laws, and to specify the permitted uses of the data.
While GDPR ushered in a new era of large privacy and compliance fines, a few of the U.S. State Privacy Laws also incorporated some fairly aggressive fine structures. The first CCPA fine was $1.2 million.Â
Fines are often determined by the number of violations–which is often dependent on the number of records in your database. Needless to say, those numbers can add up quickly if you’re working with millions of consumers in one of the states–and the fines typically don’t include legal fees or injunctive relief.
‍
‍
‍
The Virginia Consumer Data Protection Act (VCDPA) is enforced by the Virginia Attorney General. Upon identifying a potential violation, the Attorney General must provide a 30-day written notice to the offending party, specifying the provisions violated. If the violation is not remedied within this period, the Attorney General can initiate legal action seeking injunctive relief and impose civil penalties of up to $7,500 per violation.Â
It's important to note that the VCDPA does not grant consumers a private right of action; enforcement authority rests solely with the Attorney General.Â
Therefore failure to comply with the VCDPA can result in:
‍
.webp)
‍
The Virginia data privacy law significantly enhances consumer privacy rights for Virginia residents. Under the Virginia privacy law, consumers are empowered to:
‍The Virginia Consumer Data Protection Act is similar in many respects to recent privacy laws passed in California, Connecticut, Colorado, Nevada, and Utah.
What these U.S. state laws have in common is the implementation of a notice and opt-out choice regime.
A “notice and opt-out choice regime” means that business can process most types of data as long as there is a consumer-facing privacy notice that describes the intended use of data, and the consumer (data subject) is provided with the opportunity to opt-out of certain uses of such data (e.g., profiling, sale, targeted ads).
‍
‍
The Virginia Consumer Data Protection Act (VCDPA) is similar to many U.S. state laws, and the following characteristics make it an important consideration for privacy program owners:Â
If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy. Here are eight key steps every business should take to ensure they don’t fall foul of regulators:
VCDPA compliance involves businesses implementing measures to protect consumer data, such as conducting data protection assessments, obtaining explicit consent for processing sensitive data, and providing clear privacy notices. Compliance ensures adherence to the Virginia Consumer Data Protection Act's requirements.Â
To comply with VCDPA, you must:
As noted above, the VCDPA generally operates under a notice and opt-out choice privacy regime. Although the VCDPA ruleset does not focus directly on secondary use of data, it’s nonetheless really important to provide clear and detailed privacy notices.
The only way to manage data governance across a full data ecosystem is to individually label every single bit of data you collect, effectively creating a layer of metadata that articulates how any given fact or unit of information can be used [APC1].
For instance, Ketch can automatically crawl and scan your data ecosystem to create and maintain that classification of data labeling metadata so that you can understand, and act on data that’s within the scope of the Virginia privacy regulation.
Your data labels can’t be written in permanent ink. Instead, they need to reflect the rules under which the data subject is operating (which may be subject to change). For that reason, it’s important that your systems are nimble and flexible enough to allow users to change their minds and revoke or modify permissions at any moment.
Data labels can’t be anchored in your own internal data-handling processes; instead, they need to be incorporated into the data itself. That’s vital because it’s the only way to ensure that changes made by your users will propagate out to your outside partners, and define their data-handling processes too.
Rules change, and new privacy rules are being written all the time. By encoding compliance metadata directly into your data, you can ensure that your datasets can quickly be brought into compliance not just with Virginia Consumer Data Protection Act as they exist today, but with any new iterations or copycat statutes introduced by other states.
Unlike GDPR, the VCDPA does not require the appointment of a data protection or privacy officer with a legally mandated set of responsibilities.
Regardless, it’s still a good idea to have an internal person or team dedicated to ensuring privacy compliance. And bringing in an outside resource such as a privacy lawyer can help you make sure you understand all of your compliance obligations.
Keeping clear records about how you’re handling data is vital when it comes to communicating with users and regulators.
With the Ketch Data Permissioning Platform, you can:
‍
‍When you automate these processes, you enable your internal stakeholders:Â
‍Gabe's, a leading off-price retailer, prioritized compliance with the Virginia data privacy law ahead of its January 1, 2023, enforcement date. Partnering with Ketch, they implemented a comprehensive data privacy management solution that included:
This collaboration not only ensured VCDPA compliance but also prepared Gabe's for future data privacy challenges, providing a scalable and flexible platform as regulations evolve.Â
Ketch implementation was easy and quick. Today we’re set up not only for VCDPA compliance, but for future data privacy challenges. As data privacy regulations change, Ketch gives us a flexible platform for scaling our reach.
–Tim Rounds, Senior Director, Legal, Gabe’s
VCDPA compliance requires businesses to adopt a proactive approach to data privacy by implementing robust data management practices, ensuring transparency, and staying informed about evolving regulatory requirements.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.Â
Read further: 2025 U.S. State Privacy Laws: what you need to know
