Applies to businesses processing personal data of 100,000+ Virginia residents annually, or 25,000+ if you derive 50%+ of revenue from selling personal data.
Effective
2023-01-01
Penalty max
$7,500
Cure period
30 days
Honor GPC
Not required
Overview
The Virginia Consumer Data Protection Act (VCDPA) took effect January 1, 2023. Virginia was the second state (after California) to enact a comprehensive consumer privacy law. The VCDPA gives Virginia residents rights to access, correct, delete, and port their personal data, plus the right to opt out of targeted advertising, data sales, and profiling for consequential decisions. Virginia is unique among the 'first wave' privacy states in that it does not require businesses to honor browser-level Global Privacy Control (GPC) signals — but you still must provide a clear in-product opt-out mechanism. The Virginia AG has a permanent 30-day cure period, which makes Virginia generally less aggressive than Colorado, California, or Texas, but enforcement actions have still been brought against e-commerce businesses for inadequate consumer rights processes.
Who it applies to
Businesses processing personal data of 100,000+ Virginia residents annually.
Businesses processing personal data of 25,000+ Virginia residents AND deriving 50%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
What this means for e-commerce
Virginia was the second state to enact a comprehensive privacy law. It does not require honoring GPC signals (unlike CA, CO, CT, TX), but it does require an in-product opt-out mechanism for targeted advertising and data sales. The 30-day cure period is permanent, which makes Virginia one of the more business-friendly enforcement environments — but the AG has still pursued multiple settlements with e-commerce businesses for inadequate opt-out flows.
Penalties & enforcement
Enforced by the Virginia Attorney General. Penalties range from $0 to $7,500 per violation.
Virginia provides a 30-day cure period (permanent). The AG must give you written notice of an alleged violation and time to fix it before bringing an enforcement action.
Compliance checklist
Add a clear opt-out link in your site footer for targeted advertising and data sales
Update privacy policy with VCDPA-required disclosures (categories of data, purposes, third parties, consumer rights)
Implement a verifiable consumer request process with 45-day response window
Conduct data protection assessments for high-risk processing (targeted ads, sale of data, profiling, sensitive data)
Obtain opt-in consent before processing sensitive personal data
Update vendor and processor agreements with VCDPA-required terms
Establish an internal appeals process for consumer requests you decline
Does the VCDPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Virginia.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.