Virginia Consumer Data Protection Act (VCDPA): compliance guide for online retailers

The model law

Virginia's Consumer Data Protection Act (VCDPA) was the second comprehensive state privacy law in the US, taking effect January 1, 2023. More importantly, the VCDPA became the template that most subsequent state privacy laws copied. Understanding the VCDPA gives you a strong foundation for complying with privacy laws in Colorado, Connecticut, Indiana, Kentucky, Tennessee, and others.

Does the VCDPA apply to your business?

The VCDPA applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents AND meet one of these thresholds:

• Control or process personal data of 100,000 or more Virginia consumers in a calendar year, OR
• Control or process personal data of at least 25,000 Virginia consumers AND derive over 50% of gross revenue from the sale of personal data

For e-commerce businesses, the 100,000 consumer threshold is the one to watch. If you have a substantial Virginia customer base or Virginia website visitors, you may be covered.

Consumer rights

Virginia consumers have the right to:

• Confirm whether a business is processing their personal data
• Access their personal data
• Correct inaccuracies
• Delete personal data provided by or obtained about them
• Obtain a portable copy of their data
• Opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects

You must respond to consumer requests within 45 days (with one 45-day extension available with notice).

Sensitive data requires opt-in consent

The VCDPA requires affirmative opt-in consent before processing sensitive data, which includes:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data
• Data from known children
• Precise geolocation data (within 1,750 feet)

For e-commerce businesses, precise geolocation data is the most common trigger. If your app or site collects precise location data, you need consent before processing it.

Data protection assessments

The VCDPA requires data protection assessments for:

• Targeted advertising
• Sale of personal data
• Profiling that produces legal or significant effects
• Processing sensitive data
• Any processing presenting a heightened risk of harm to consumers

Each assessment must weigh the benefits of the processing against the potential risks to consumers. You should document these assessments and retain them — the AG can request them during an investigation.

The permanent 30-day cure period

Unlike many states where cure periods have expired or will expire, Virginia's 30-day cure period is permanent. If the AG identifies a violation, the AG must issue a written notice and give you 30 days to cure it. Only if you fail to cure within 30 days can the AG bring an enforcement action.

This is a significant advantage for businesses making good-faith compliance efforts. It means that even if you make a mistake, you have time to fix it before facing penalties.

Penalties

• Up to $7,500 per violation
• Attorney General enforcement only — no private right of action
• No dedicated privacy enforcement agency (unlike California)

How the VCDPA compares to other states

The VCDPA is considered "middle of the road" in terms of strictness:

• More business-friendly than: California (broader scope, CPPA), Maryland (no cure, strict minimization), New Jersey (no cure)
• Similar to: Colorado, Connecticut (before their cure periods expired), Indiana, Kentucky
• More strict than: Utah (limited rights), Iowa (90-day cure, no DPA requirement), Florida (narrow scope)

Compliance checklist for online retailers

1. Check your Virginia consumer count. Use analytics and customer data to estimate how many Virginia residents you interact with annually.

2. Map your data practices. Document what personal data you collect, how you use it, who you share it with, and how long you retain it.

3. Post a compliant privacy notice. Include all VCDPA-required disclosures about categories of data, purposes, third-party sharing, and consumer rights.

4. Build consumer request processes. Implement intake, verification, and fulfillment workflows for all five consumer rights.

5. Conduct data protection assessments. Document your targeted advertising, data sales, and any profiling activities.

6. Obtain sensitive data consent. If you collect geolocation data, biometric data, or data from children, implement consent mechanisms.

7. Review data processing agreements. Ensure contracts with processors (payment providers, analytics tools, email platforms) include VCDPA-required terms.

8. Train your team. Customer service, marketing, and IT staff should understand VCDPA obligations and consumer request handling.

Stay on top of changes like these — BriefStack monitors all 20 state privacy laws and delivers what matters to your inbox daily.

---

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.