Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial reference emblem — VAStylized regulator-jurisdiction emblem for editorial reference. Not affiliated with or endorsed by any government, regulator, or institution.VA
VCDPA Virginia Attorney General

REGULATION · US STATE · IN FORCE SINCE 2023

Virginia Consumer Data Protection Act

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Scope

The Virginia Consumer Data Protection Act (VCDPA, Va. Code §59.1-575 et seq.) was the second comprehensive US state privacy law, effective 1 January 2023. It applies to entities conducting business in Virginia or producing products/services targeted to Virginia residents that:

  • Process the data of ≥100,000 Virginia consumers per year, OR
  • Process the data of ≥25,000 consumers AND derive ≥50% of gross revenue from the sale of personal data.

“Sale” under VCDPA means exchange for monetary consideration only — narrower than CCPA which includes “other valuable consideration”.

VCDPA uses an opt-out model — controllers may process personal data unless and until the consumer opts out for specific purposes:

  • Sale of personal data
  • Targeted advertising
  • Profiling that produces legal or similarly significant effects

For sensitive data (race, religion, health, sexual orientation, citizenship status, genetic/biometric data, data from a known child, precise geolocation) — VCDPA requires opt-in consent.

Consumer rights

  • Right to access — confirm whether their personal data is processed and obtain a copy
  • Right to correct inaccurate personal data
  • Right to delete personal data provided by or obtained about them
  • Right to data portability — receive a copy in a portable, readily usable format
  • Right to opt out of sale, targeted advertising, and profiling for significant decisions
  • Right to appeal — controllers must provide an internal appeal process

Response timeline: 45 days, extendable by 45 days once for complex requests.

Universal opt-out signal

VCDPA does not mandate recognition of the Global Privacy Control (GPC) signal. This is a key contrast with California (CCPA) and Colorado (CPA) which do require it. Virginia’s approach treats GPC as one of multiple acceptable opt-out methods, not a mandatory one.

Data Protection Assessments (§59.1-580)

Required for: targeted advertising, sale of personal data, processing of sensitive data, profiling with significant risk, and other “high-risk” activities. Must weigh the benefits to the controller and consumer against the risks. Available to the Attorney General upon request.

Controller and processor obligations

  • Privacy notice — categories of data, processing purposes, sale or sharing categories, consumer rights, and how to exercise them
  • Data security — reasonable administrative, technical, physical safeguards
  • Processor contracts — bind processors to assist with VCDPA obligations

Enforcement

Exclusive enforcement by the Virginia Attorney General — no private right of action. Pre-enforcement 30-day cure period for violations the AG identifies. Maximum civil penalty: $7,500 per violation.

The Virginia AG has taken a moderate enforcement stance through 2024-2026 — focused on warning letters and cure-period compliance rather than maximum penalties. No public final fines as of mid-2026.

How VCDPA compares to CCPA/CPRA

Element VCDPA CCPA/CPRA
Sale definition Monetary only Monetary OR other valuable consideration
GPC signal Not mandatory Mandatory
Sensitive PI Opt-in Limit-use right
Private right of action None Limited (data breaches only)
Cure period 30 days None (CPRA removed it)
Threshold 100k consumers OR 25k+50% $25M revenue OR 100k consumers OR 50%+ revenue from sale

Key references

  • Virginia Attorney General — Office of Consumer Protection
  • Va. Code §59.1-575 through §59.1-585 (statute)
  • Virginia Office of the Attorney General VCDPA implementation guidance

Where it applies — 1 jurisdictions

🇺🇸Virginia
US-VA

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Transparent privacy notice §59.1-578(C)

    Provide a reasonably accessible, clear privacy notice listing categories of data, processing purposes, sale/sharing, third-party categories, and rights-exercise mechanisms.

  2. 02
    Purpose limitation §59.1-578(A)(1)

    Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes.

  3. 03
    Data minimization §59.1-578(A)(1)

    Do not process data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes without consumer consent.

  4. 04
    Reasonable security §59.1-578(A)(3)

    Establish, implement, and maintain reasonable administrative, technical, and physical data-security practices appropriate to the volume and nature of data.

  5. 05
    Non-discrimination §59.1-578(A)(4)

    Do not process personal data in violation of state/federal anti-discrimination laws and do not discriminate against consumers exercising VCDPA rights.

  6. 06
    Sensitive data opt-in §59.1-578(A)(5)

    Obtain consumer consent before processing sensitive data — racial/ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, citizenship/immigration status, genetic/biometric data, precise geolocation, and personal data of a known child.

  7. 07
    Data Protection Assessments §59.1-580

    Conduct and document DPAs for high-risk processing — targeted advertising, sale of data, certain profiling, sensitive-data processing, and any activity presenting heightened risk of harm.

  8. 08
    Children's data §59.1-578(A)(5)(vii)

    Process personal data of a known child only in accordance with COPPA; for minors 13-15, opt-in consent is required for sale and targeted advertising.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

§59.1-577(A)(5)–(6)

Default processing (opt-out model)

Sale of personal data, targeted advertising, and profiling for significant decisions are permitted by default until the consumer opts out.

Common for: Analytics, ad measurement, ad personalization
§59.1-578(A)(5)

Opt-in for sensitive data

Required before any processing of sensitive personal data or known-child data.

Common for: Health, biometric, precise geolocation, racial/religious data, child accounts
§59.1-582(A)(1)

Contract / requested service

Necessary to provide a product/service requested by the consumer or to perform a contract.

Common for: Account creation, order fulfilment, subscription delivery
§59.1-582(A)(2)–(3)

Security, fraud prevention, debugging

To prevent, detect, protect against, or respond to security incidents, fraud, or illegal activity, and to debug to identify and repair errors.

Common for: Server logs, abuse signals, error tracking
§59.1-582(A)(4)

Legal obligation

To comply with federal, state, or local laws, rules, or regulations or a lawful investigation.

Common for: Tax records, subpoenas, regulator requests
§59.1-582(A)(7)–(8)

Internal research / quality assurance

To conduct internal research to develop, improve, or repair products/services, or for short-term transient use, performing services, and internal operations reasonably aligned with consumer expectations.

Common for: Product analytics, A/B testing, QA
§59.1-582(A)(6)

Public-interest research

Scientific, historical, or statistical research in the public interest, with appropriate safeguards.

Common for: Academic studies, public-health research
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right to access / confirm §59.1-577(A)(1) 45 days Confirm whether a controller is processing personal data and access that data.
Right to correct §59.1-577(A)(2) 45 days Correct inaccuracies in personal data, taking into account the nature and purpose of processing.
Right to delete §59.1-577(A)(3) 45 days Delete personal data provided by or obtained about the consumer.
Right to data portability §59.1-577(A)(4) 45 days Obtain a copy of personal data the consumer previously provided to the controller, in a portable, readily usable format.
Opt-out of sale §59.1-577(A)(5)(i) 45 days Opt out of the sale of personal data (VCDPA defines sale narrowly as exchange for monetary consideration only).
Opt-out of targeted advertising §59.1-577(A)(5)(ii) 45 days Opt out of processing for targeted advertising — display of ads based on personal data obtained from non-affiliated activity over time and across non-affiliated sites/apps.
Opt-out of profiling §59.1-577(A)(5)(iii) 45 days Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (lending, housing, employment, healthcare, education access).
Right to appeal §59.1-577(C) 60 days If a controller refuses to act on a request, the consumer may appeal; controller must respond within 60 days and inform the consumer of the right to contact the VA Attorney General.
Topic: DSARs in practice Template: DSR reply (Art 15)

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇺🇸 Virginia US-VA VCDPA · Va. Code §59.1-575 et seq. Aligned Baseline. Opt-out for sale/targeted-ads/profiling; sensitive data opt-in; 30-day cure period (permanent, no sunset); no private right of action. GPC honoring not mandated.
🇺🇸 Colorado US-CO Colorado Privacy Act (CPA) · C.R.S. §6-1-1301 Stricter Stricter than VCDPA: GPC / Universal Opt-Out Mechanism MANDATORY since 1 Jul 2024. Cure period sunset 1 Jan 2025. Broader 'sale' definition (includes non-monetary exchange).
🇺🇸 Connecticut US-CT Connecticut Data Privacy Act (CTDPA) Stricter GPC mandatory since 1 Jan 2025. Cure period sunset 31 Dec 2024. Broader 'sale' (monetary OR other valuable consideration).
🇺🇸 Utah US-UT Utah Consumer Privacy Act (UCPA) Aligned More business-friendly than VCDPA: no right to correct, no opt-out of profiling, no appeal right. Higher applicability threshold ($25M revenue + volume). 30-day cure permanent.
🇺🇸 Iowa US-IA Iowa Consumer Data Protection Act (ICDPA) · effective 1 Jan 2025 Aligned Closely modeled on UCPA. No right to correct, no profiling opt-out. 90-day cure (more lenient than VCDPA's 30).
🇺🇸 Indiana US-IN Indiana Consumer Data Protection Act · effective 1 Jan 2026 Aligned Near-clone of VCDPA. 30-day cure permanent. No GPC mandate.
🇺🇸 Tennessee US-TN Tennessee Information Protection Act (TIPA) · effective 1 Jul 2025 Aligned Adds NIST Privacy Framework affirmative defense — unique. 60-day cure permanent. Mirrors VCDPA opt-out structure.
🇺🇸 Florida US-FL Florida Digital Bill of Rights (FDBR) · effective 1 Jul 2024 Stricter Stricter scope: only applies to very large controllers ($1B+ revenue), but adds opt-out of voice/facial recognition collection and sensitive-data opt-in. 45-day cure.
🇺🇸 Oregon US-OR Oregon Consumer Privacy Act (OCPA) · effective 1 Jul 2024 Stricter Adds right to know specific third parties data shared with (broader than VCDPA's category-level disclosure). 30-day cure sunset 1 Jan 2026.
🇺🇸 Montana US-MT Montana Consumer Data Privacy Act · effective 1 Oct 2024 Stricter GPC mandatory from 1 Jan 2025. Cure period sunset 1 Apr 2026. Lower thresholds than VCDPA (50k consumers).
🇺🇸 Delaware US-DE Delaware Personal Data Privacy Act · effective 1 Jan 2025 Stricter Lower threshold (35k consumers). GPC mandatory. Cure period sunset 31 Dec 2025. Includes non-profits within scope.
🇺🇸 New Hampshire US-NH NH SB 255 · effective 1 Jan 2025 Stricter GPC mandatory from 1 Jan 2025. 60-day cure sunset 31 Dec 2025.
🇺🇸 New Jersey US-NJ NJ Data Privacy Act · effective 15 Jan 2025 Stricter GPC mandatory within 6 months of effective date. Broader sensitive-data definition (includes financial info). 18-month cure sunsets 15 Jul 2026.
🇺🇸 Maryland US-MD Maryland Online Data Privacy Act (MODPA) · effective 1 Oct 2025 Stricter Strictest US state law to date: bans sale of sensitive data outright; data-minimization standard ('reasonably necessary and proportionate'); no cure period.
🇺🇸 California US-CA CCPA / CPRA Stricter GPC MANDATORY (Cal. Code Regs. tit. 11, §7025). Private right of action for data breaches. Broader 'sale' + 'share' construct. Separate authority (CPPA).

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does VCDPA apply to my non-Virginia business?
Yes, if you conduct business in Virginia OR target Virginia residents AND meet either threshold: (1) process personal data of ≥100,000 Virginia consumers in a calendar year, OR (2) process data of ≥25,000 consumers AND derive ≥50% of gross revenue from the sale of personal data. Physical presence in Virginia is not required.
What are the key differences between VCDPA and CCPA?
Four big ones. (1) Sale definition: VCDPA = monetary consideration only; CCPA = monetary OR other valuable consideration (much broader). (2) Global Privacy Control: not required under VCDPA; mandatory under CCPA regulations. (3) Private right of action: none under VCDPA; CCPA allows private lawsuits for certain data breaches. (4) Cure period: VCDPA 30 days, permanent; CCPA cure provisions sunset 1 Jan 2023.
What is the maximum VCDPA fine?
Up to $7,500 per intentional violation, recoverable by the VA Attorney General under §59.1-584. There is no percentage-of-revenue tier and no statutory damages for consumers (no private right of action). Fines accrue per violation, so a systemic failure can multiply quickly.
Do I need to honor Global Privacy Control under VCDPA?
No — VCDPA does not mandate recognition of GPC or other universal opt-out signals. This is a key differentiator vs Colorado, Connecticut, Montana, Delaware, NH, NJ, and California, which all require GPC honoring. Many businesses honor GPC anyway for operational simplicity across states.
How does VCDPA define 'sale' of personal data — is it narrower than CCPA?
Yes, materially narrower. VCDPA §59.1-575 defines sale as 'the exchange of personal data for monetary consideration by the controller to a third party.' CCPA covers 'monetary or other valuable consideration,' so transfers for advertising co-op or analytics platform access can be 'sales' under CCPA but not VCDPA. This significantly changes how Google Analytics, Meta Pixel, etc. are classified.
When is opt-in consent required for sensitive data?
Always, before processing. Sensitive data under §59.1-575 includes: racial/ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, citizenship/immigration status, genetic/biometric data, precise geolocation (within 1,750 ft / ~533m), and personal data of a known child. Opt-in must be freely given, specific, informed, and unambiguous — pre-ticked boxes don't qualify.
When is a Data Protection Assessment required under VCDPA?
Per §59.1-580, a DPA is required for: (1) targeted advertising, (2) sale of personal data, (3) profiling presenting reasonably foreseeable risk of unfair/deceptive treatment, financial/physical/reputational injury, or intrusion on private affairs; (4) processing sensitive data; (5) any processing activity that presents a heightened risk of harm. The AG can request DPAs during investigations.
What is the cure period and how does it work?
VCDPA gives controllers 30 days after written notice from the VA AG to cure an alleged violation before enforcement action. If cured and the controller provides a written statement of compliance, no action is taken. Unlike Colorado/Connecticut/Oregon/Delaware/NH/Montana/NJ, VCDPA's cure period is permanent — no sunset date — making it one of the most controller-friendly state laws.
Does VCDPA apply to non-profits?
No. §59.1-576(C) explicitly exempts non-profit organizations. This contrasts with Colorado, Oregon, Delaware, and New Jersey, which include non-profits within scope. Higher-education institutions, GLBA-covered financial institutions, and HIPAA-covered entities are also excluded.
Can consumers use authorized agents under VCDPA?
VCDPA §59.1-577 does not expressly recognize authorized agents in the way CCPA does — requests must come from the consumer directly. There is one narrow exception: parents/guardians of known children may act on the child's behalf. The VA AG has not issued formal guidance permitting third-party agents.