Virginia VCDPA Compliance

The Virginia Consumer Data Protection Act, often called VCDPA, became effective January 1, 2023. Virginia was the second US state after California to enact a comprehensive privacy law. VCDPA is enforced exclusively by the Virginia Attorney General. As of 2026, the law has been in effect for three years and enforcement guidance has matured.

This page covers what VCDPA requires, who is in scope, and how to build compliance.

Does VCDPA apply to you

VCDPA applies to persons that conduct business in Virginia or produce products or services targeted to Virginia residents, and that during a calendar year:

  • Control or process the personal data of at least 100,000 Virginia consumers; or

  • Control or process the personal data of at least 25,000 Virginia consumers and derive over 50 percent of gross revenue from the sale of personal data.

  • VCDPA does not apply to government entities, financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates under HIPAA, nonprofit organizations, and institutions of higher education.

Many growing tech companies hit the 100,000 Virginia consumer threshold as they scale, particularly consumer-facing applications and SaaS platforms with Virginia customer bases.

What VCDPA requires

A compliant privacy notice. The notice must describe categories of personal data processed, purposes of processing, how consumers can exercise their rights, categories of personal data shared with third parties, and categories of third parties.

Consumer rights operational capability. Virginia consumers have the right to:

Access. Confirm whether the controller is processing the consumer's personal data and access that data.

Correction. Correct inaccuracies in their personal data.

Deletion. Delete personal data provided by or about the consumer.

Portability. Obtain a copy of personal data in a portable, readily usable format.

Opt-out. Opt out of processing for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers must respond to consumer requests within 45 days, with a 45-day extension if reasonably necessary.

Sensitive data consent. Processing of sensitive personal data requires opt-in consent. Sensitive data includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, and precise geolocation data.

Data protection assessments. Controllers must conduct and document data protection assessments for processing activities involving targeted advertising, sale of personal data, profiling with high-risk effects, sensitive data, or other processing presenting a heightened risk.

Data processing addendum. Contracts between controllers and processors must include specific terms addressing processing instructions, confidentiality, security, sub-processor management, audit cooperation, and data return or deletion.

Enforcement

The Virginia Attorney General has exclusive enforcement authority. No private right of action exists.

Penalties of up to 7,500 USD per violation. The Attorney General must provide written notice of alleged violations with a 30-day cure period before initiating enforcement.

As of 2026, Virginia enforcement has been less visible than California's, with the Attorney General typically engaging through cure notices rather than public penalties. Companies should not assume Virginia enforcement is dormant; cure notices indicate active monitoring.

How VCDPA compares to GDPR and CCPA

VCDPA shares conceptual structure with GDPR including controller/processor roles, consumer rights similar to data subject rights, and risk assessments similar to DPIAs. The mechanics differ in specific detail.

VCDPA is similar to CCPA in covering consumer rights but uses different terminology (consumer rights rather than data subject rights, controllers rather than businesses) and has different thresholds.

VCDPA's opt-in consent for sensitive data is stricter than CCPA's limit on sensitive personal information use but less restrictive than GDPR's lawful basis requirements for special category data.

Combining VCDPA with multi-state compliance

VCDPA is one of 20 US state comprehensive privacy laws in effect as of 2026. Most companies build a single privacy program meeting the strictest applicable standard and handle state-specific variations through notice content and operational processes.

For companies already compliant with GDPR and CCPA, adding VCDPA compliance is typically incremental work: notice updates with Virginia-specific disclosures, consumer rights process extension to Virginia residents, and data protection assessment documentation.

How Engage Compliance helps

VCDPA compliance is included in our DPO services for clients serving Virginia residents. Specific work includes:

  • Privacy notice with Virginia-specific sections.

  • Consumer rights process design and implementation including Virginia-specific timelines.

  • Data protection assessment documentation for in-scope processing activities.

  • Sensitive data inventory and consent management.

  • Controller/processor contract review and update.

  • Multi-state harmonization across VCDPA, CCPA, and other US state laws.

Get started

If you have Virginia consumers and need VCDPA compliance support, book a consultation.