top of page

Virginia Consumer Data Protection Act (VCDPA) Overview

Updated: May 23, 2023

Governor Ralph Northam (D) of Virginia officially enacted the Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, making Virginia the second state after California to do so. The VCDPA became active on January 1, 2023.

According to the VCDPA, customers can request that firms remove their data. Additionally, it mandates that businesses carry out data protection audits when processing personal data for individualized marketing and sales efforts. Even the use of de-identified data, or data that has been altered so that the individuals from whom the data were collected cannot be directly recognized, is subject to specific limitations under the law.

Scope and definitions of the VCDPA

  • According to the VCDPA, businesses must request and receive users’ consent before processing sensitive personal data.

  • Users must be allowed to refuse to use their personal information for targeted advertising under the VCDPA. On the website where user data is gathered, consent banners (also known as “cookie banners’’) are typically used with a consent management platform (CMP).

  • The “fair information practice principles (FIPPs)” is a part of the VCDPA. It specifies how user data collection is done lawfully, such as “having a specific, disclosed purpose for collecting personal data’’ and giving users access to a privacy notice and policy outlining the types of data the website or business collects.

  • Companies or for-profit organizations operating in Virginia or providing goods and services to Virginians are subject to the VCDPA. You must also comply with the VCDPA if your for-profit business is based outside Virginia but has customers (for example, by providing online services that Virginia people utilize).

  • According to the VCDPA, “sale” is “the exchange of personal data for money by a controller to a third party,” such as your website to an ad-tech company.

VCDPA requirements for organizations

When processing customer data, businesses and organizations must abide by several rules and obligations under the Virginia Customer Data Protection Act (VCDPA).

The VCDPA requires companies and organizations to:

  • Give end users a privacy notice that explains the types of data collected and why, the types of data shared with third parties, and who those third parties are. For example, how users can exercise their rights and other pertinent information.

  • Indicate whether the controller or a third party processes personal data for targeted advertising and describe the opt-out options available to users.

  • Set up security procedures for the gathering and processing of your data.

  • Within 45 days of receiving the request, respond to customer requests.

  • Create a procedure for customers to appeal a decision that rejects their original request.

  • Limit the amount of personal information collected to what is necessary and appropriate for the stated purpose.

  • Only with the consumer’s consent may personal data be processed for purposes other than those specified, not mistreat customers based on how their data is processed.

Penalties for not following VCDPA

Businesses that violate the Virginia Consumer Data Protection Act’s (VCDPA’s) rules are subject to fines. The VCDPA establishes two types of sanctions: administrative penalties and a consumer’s private right of action.

1. Administrative Penalties

The VCDPA empowers the Virginia Attorney General to issue civil fines of up to $7,500 for willful law violations. Before any penalties are imposed, companies that breach the VCDPA must be given a 30-day warning and a chance to make things right.

2. Private Right of Action

Virginians have a private right of action under the VCDPA against companies that disobey the rules. Under the VCDPA, consumers may ask for injunctive remedy, monetary compensation, or other suitable relief. The VCDPA does not limit the maximum damages granted to consumers.

3. Injunctive Relief

The VCDPA permits the Virginia Attorney General to request injunctive action to stop further legal offenses. A court order prohibiting the company from collecting or using personal data contravening the law is one form of injunctive remedy that may be available.

4. Increased Scrutiny

Increased public and regulatory scrutiny may result from failure to comply with the VCDPA. It may lead to bad press, reputational harm, and diminished consumer confidence.

The consequences for breaking the VCDPA are severe overall. Thus, companies in Virginia should take the necessary procedures to ensure compliance. By adhering to the VCDPA while defending Virginia residents’ privacy rights, businesses can avoid fines and potential legal action.


The Virginia Consumer Data Protection Act (VCDPA) is a privacy law that establishes new obligations for businesses that collect, process, and share the personal data of Virginia residents. The law imposes penalties on companies that fail to comply with its provisions, including administrative fines and a private right of action for consumers.

The VCDPA is designed to enhance the privacy rights of Virginia residents over their data and gives them greater control over how their data is collected, used, and shared. With the implementation of VCDPA on January 1, 2023, businesses operating in Virginia need to take proactive steps to ensure compliance with the law, including reviewing their data processing practices, updating their privacy policies, and implementing appropriate data security measures.

22 views0 comments

Recent Posts

See All


bottom of page