VCDPA — The Virginia Consumer
Data Protection Act

Virginia was second. Here's what the law actually does.

The Virginia Consumer Data Protection Act (VCDPA) became effective on January 1, 2023, making Virginia the second U.S. state after California to enact comprehensive privacy legislation. Unlike California's CCPA, VCDPA is remarkably concise — just eight pages — and has become a model that later state laws (including Texas, Colorado, Connecticut, and Utah) adapted.

VCDPA grants Virginia consumers rights over their personal data and imposes obligations on "controllers" — businesses that determine how personal data is processed. The law is enforced exclusively by the Virginia Attorney General; there is no private right of action, meaning individuals cannot sue businesses directly.

Your rights under VCDPA

Who has to comply with VCDPA

VCDPA applies to businesses that conduct business in Virginia or produce products/services targeted to Virginia residents AND meet one of two quantitative thresholds:

• Control or process the personal data of at least 100,000 consumers during a calendar year, OR
• Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data

These thresholds are stricter than Texas (which has a broader "conducts business in" test). Small businesses with limited Virginia reach are generally exempt. VCDPA also exempts various entities including state agencies, financial institutions regulated by Gramm-Leach-Bliley, HIPAA-covered entities, nonprofits (with recent amendments including tax-exempt political organizations), and institutions of higher education.

Data protection assessments

VCDPA introduces a unique requirement among state privacy laws: controllers must conduct data protection assessments (DPAs) for high-risk processing activities. These include targeted advertising, sale of personal data, processing of sensitive data, and certain types of profiling. Since January 1, 2025, this requirement also extends to any online services, products, or features directed to known children.

The Virginia AG can request controllers disclose their DPAs when relevant to compliance investigations. If your business falls under multiple state privacy laws with DPA requirements, a single assessment can satisfy them all, provided it addresses comparable processing operations.

Virginia vs. California: the model and the pioneer

VCDPA borrowed heavily from California's CCPA but simplified it. Where CCPA is dense and layered with amendments, VCDPA is eight pages of cleaner language. It has since inspired most other state privacy laws. But simpler doesn't mean stronger — Virginia gives residents fewer practical tools to exercise their rights than California does.

The biggest practical gap: Virginia has no authorized-agent framework explicitly codified into VCDPA. Texas added opt-out agent recognition in January 2025. California has a full framework. Virginia does not. That doesn't mean services like Shield can't submit deletion requests for Virginia residents — many data brokers voluntarily honor third-party deletion submissions — but there's no statutory mechanism requiring them to.

Who enforces VCDPA

The Virginia Attorney General has exclusive enforcement authority under VCDPA. Before filing suit, the AG must first provide written notice of the alleged violation. The controller then has 30 days to cure the violation or provide a written statement that the violation has been cured.

If the violation is not cured, or if the cure statement is false, the AG may seek:

• Civil penalties up to $2,500 per unintentional violation
• Civil penalties up to $7,500 per intentional violation
• Injunctive relief to restrain further violations
• Recovery of reasonable expenses, including attorney's fees

Collected penalties are deposited into the state treasury's Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Unlike California's dedicated privacy agency (CPPA), Virginia's enforcement happens through the existing AG structure — which means less specialized enforcement staff but the full weight of AG investigative authority.

Recent amendments

Virginia has updated VCDPA since its 2023 effective date:

• Children's privacy (SB 361, effective Jan 1, 2025) — expanded protections for processing children's data, including DPA requirements for services directed at known children
• Addictive feed regulation (SB 854, effective Jan 1, 2026) — restricts social media platforms from providing "addictive feeds" (algorithm-driven infinite scroll, variable rewards) to minors without verified parental consent

What VCDPA doesn't give you

Virginia was first after California, but it made deliberate choices to favor business clarity over consumer power. Here's what VCDPA does not give Virginia residents:

• No private lawsuits. Enforcement is AG-only. You cannot personally sue a controller for ignoring your VCDPA request.
• No centralized delete system. Unlike California's DROP registry, there's no "delete from all Virginia brokers" infrastructure. Per-controller requests are the default path.
• No authorized-agent framework. VCDPA doesn't explicitly codify the right to designate an agent. Controllers may voluntarily accept agent-submitted requests, but aren't statutorily required to.
• No universal opt-out mandate. VCDPA doesn't require controllers to honor Global Privacy Control signals. That's a gap the VCDPA Work Group has recommended closing, but legislators haven't acted yet.
• 30-day cure period that isn't sunsetting. Unlike Colorado (where the cure period expired in 2025) and Oregon (January 2026), Virginia's cure period is permanent. Controllers always get a 30-day opportunity to fix violations before facing penalties.

These limitations don't make VCDPA toothless — the AG has brought actions, and the $7,500 per intentional violation penalty adds up quickly across many affected consumers. But knowing what the law doesn't do helps you exercise your rights realistically.