On this pageDoes the Virginia Consumer Data Protection Act apply to your business?
State Law Practice Note

Virginia Consumer Privacy Law (VCDPA)

The Virginia Consumer Data Protection Act gives Virginia consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — the model for many state privacy laws, it is enforced exclusively by the Attorney General with a permanent 30-day cure period and provides no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawVa. Code § 59.1-576; Va. Code § 59.1-578; Va. Code § 59.1-579; Va. Code § 59.1-584

Does the Virginia Consumer Data Protection Act apply to your business?

It turns on consumer volume, not revenue. The VCDPA applies to persons that do business in Virginia or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 consumers, or at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data .

Virginia was the second state (after California) to enact a comprehensive privacy law, and its structure became the template much of the country copied — so this note reads much like Colorado, Connecticut, and Texas. Like those, it sets no dollar revenue floor; unlike Colorado, it exempts nonprofit organizations, along with state agencies and GLBA-, HIPAA-, and FCRA-regulated data. A consumer is a Virginia resident acting in an individual or household context, not an employee or business contact.

Sources for this answer

Primary law

A.1 Va. Code § 59.1-576

The VCDPA applies to persons doing business in Virginia or targeting its residents that control or process the data of at least 100,000 consumers, or 25,000+ while deriving over 50% of gross revenue from selling personal data.

This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

See Va. Code § 59.1-576(A).

What must your Virginia privacy policy contain?

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties .

For a template privacy policy, section 59.1-578 is the content checklist. Virginia also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and, where a controller sells personal data or processes it for targeted advertising, a clear disclosure of that and how to opt out. The notice the policy presents should match the data practices the controller actually carries out.

Sources for this answer

Primary law

B.1 Va. Code § 59.1-578

A controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data processed and the purpose for processing, among other required disclosures.

reasonably accessible, clear, and meaningful privacy notice that includes: 1. The categories of personal data processed by the controller; 2. The purpose for processing personal data;

See Va. Code § 59.1-578(C).

What must your contracts with processors say?

A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice .

Section 59.1-579 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with assessments, and a requirement to bind subcontractors by written contract to the same obligations. A compliant template DPA tracks each of these.

Sources for this answer

Primary law

C.1 Va. Code § 59.1-579

A contract between a controller and a processor must govern the processor's data processing performed on behalf of the controller.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

See Va. Code § 59.1-579(B).

Do you need consent to process sensitive data?

Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act . Sensitive data includes data revealing race or ethnicity, religious beliefs, a health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data; data from a known child; and precise geolocation.

This is the opt-in model shared by California, Colorado, and Texas — the opposite of Utah's notice-and-opt-out approach. Virginia does not, however, require honoring a universal opt-out preference signal the way California, Colorado, and Connecticut do, so a Virginia-only program can rely on its own opt-out mechanisms — though a multi-state template generally has to support universal signals to stay compliant elsewhere.

Sources for this answer

Can a consumer sue your business under the VCDPA?

No. The Attorney General has exclusive authority to enforce the VCDPA, so there is no private right of action for consumers . Before suing, the Attorney General must give 30 days' written notice of the specific alleged violations and a chance to cure .

Unlike Colorado and Connecticut, Virginia's 30-day cure period has not sunset — it remains a permanent, built-in off-ramp. A controller that cures within the window and certifies it in writing avoids the action; an uncured violation exposes it to civil penalties of up to $7,500 per violation. The practical posture is still to build the notice, consent, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue.

Sources for this answer

Primary law

E.1 Va. Code § 59.1-584

The Attorney General has exclusive authority to enforce the VCDPA — there is no private right of action.

The Attorney General shall have exclusive authority to enforce the provisions of this chapter.

See Va. Code § 59.1-584(A).

Primary law

E.2 Va. Code § 59.1-584

Before bringing an action, the Attorney General must give 30 days' written notice identifying the specific provisions allegedly violated.

30 days' written notice identifying the specific provisions of this chapter the Attorney General alleges have been or are being violated.

See Va. Code § 59.1-584(B).