AuditXYZ

Compliance Framework

Virginia Consumer Data Protection Act

The VCDPA is Virginia's comprehensive consumer data protection law, granting residents rights over their personal data and imposing obligations on businesses regarding data processing, consent, and protection assessments.

$5,000–$75,0002–6 months2021 (enforced January 1, 2023)
Request a ConsultationSee process
Issuing BodyVirginia General Assembly
First Published2021-03-02
Latest Version2021 (enforced January 1, 2023)
Typical Cost$5,000–$75,000
Typical Timeline2–6 months
Audit RequiredNo
Audit FrequencyNo mandatory external audit. Data protection assessments required for targeted advertising, profiling, sale of personal data, and sensitive data processing.
Geographyus-virginia

VCDPA: The Complete Guide

The Virginia Consumer Data Protection Act was the second comprehensive state privacy law enacted in the United States, signed into law in March 2021 and effective January 1, 2023. The VCDPA establishes consumer rights over personal data and imposes obligations on controllers and processors operating in Virginia.

What the VCDPA Covers

The VCDPA grants Virginia consumers five core rights: the right to access their personal data, the right to correct inaccuracies, the right to delete data, the right to obtain a portable copy, and the right to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.

The law distinguishes between controllers (entities that determine the purpose and means of processing) and processors (entities that process data on behalf of controllers), imposing distinct obligations on each. Controllers must limit data collection to what is adequate, relevant, and reasonably necessary for disclosed purposes.

Who Needs to Comply

The VCDPA applies to entities that conduct business in Virginia or target Virginia residents and that, during a calendar year, either control or process the personal data of at least 100,000 Virginia consumers, or control or process the data of at least 25,000 consumers while deriving over 50% of gross revenue from the sale of personal data.

Notably, the VCDPA exempts entities and data already regulated under HIPAA, the Gramm-Leach-Bliley Act, and several other federal laws. Nonprofits and higher education institutions are also exempt.

Enforcement

The Virginia Attorney General has exclusive enforcement authority. There is no private right of action. Before initiating enforcement, the Attorney General must provide a 30-day cure period. Civil penalties reach up to $7,500 per violation.

Practical Compliance Steps

  1. Determine applicability — Assess whether processing thresholds are met for Virginia consumers
  2. Map data flows — Identify all personal and sensitive data processing activities
  3. Consent mechanisms — Implement opt-in consent for sensitive data processing
  4. Consumer rights — Build request intake and response workflows within 45-day deadlines
  5. Data protection assessments — Conduct assessments for targeted advertising, profiling, and sensitive data activities
  6. Processor contracts — Execute agreements meeting VCDPA requirements with all processors

Get the VCDPA starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

ccpacpracpactdpagdpr

Get matched with a VCDPA auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CCPA
Framework
The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.
View
CPA
Framework
The Colorado Privacy Act grants residents rights over personal data and requires businesses to honor universal opt-out mechanisms, conduct data protection assessments, and obtain consent for sensitive data processing.
View
CPRA
Framework
The CPRA amends and expands the CCPA, introducing new consumer rights, the concept of sensitive personal information, the California Privacy Protection Agency, and mandatory cybersecurity audits for high-risk businesses.
View
CTDPA
Framework
The CTDPA is Connecticut's comprehensive data privacy law, closely modeled on the VCDPA and CPA, with additional provisions for universal opt-out mechanisms and loyalty program disclosures.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View