Virginia Consumer Data Protection Act (VCDPA)
View Law TextMaximum Fine
$7,500 per violation
Scope
State
Regulator
AG
Status
Active
Need Help with Virginia Consumer Data Protection Act (VCDPA) Compliance?
Get expert guidance on implementing VCDPA requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The Virginia Consumer Data Protection Act establishes comprehensive privacy rights for Virginia residents and obligations for businesses processing personal data.
Key Facts
- Effective January 1, 2023
- Enforced by Virginia Attorney General
- Includes consumer rights and business obligations
- Requires data protection assessments
- Provides 30-day cure period
Key Principles
Consumer Rights
Rights granted to Virginia residents regarding their personal data.
Requirements
- Right to access
- Right to delete
- Right to correct
- Right to data portability
- Right to opt-out of targeted advertising
- Right to opt-out of sales
- Right to opt-out of profiling
Examples
- Access request procedures
- Deletion mechanisms
- Correction processes
- Data portability tools
- Opt-out systems
Transparency
Clear disclosure requirements for controllers.
Requirements
- Privacy notice requirements
- Processing disclosures
- Categories of data
- Sharing practices
- Consumer rights information
Examples
- Privacy policies
- Rights notifications
- Processing disclosures
- Data sharing notices
Data Protection
Requirements for protecting personal data.
Requirements
- Data protection assessments
- Reasonable security
- Processing limitations
- Purpose specification
- Data minimization
Examples
- Security measures
- Assessment procedures
- Processing records
- Purpose documentation
Compliance Requirements
Data Protection Assessments
Required assessments for certain processing activities.
Implementation Steps
- Identify processing requiring assessment
- Conduct risk analysis
- Document findings
- Implement controls
- Regular reviews
Required Documentation
- Assessment procedures
- Risk analyses
- Control documentation
- Review records
- Mitigation plans
Consumer Request Handling
Procedures for handling consumer rights requests.
Implementation Steps
- Establish request procedures
- Implement verification methods
- Set response timelines
- Train staff
- Document responses
Required Documentation
- Request procedures
- Verification methods
- Response templates
- Training materials
- Request logs
Sensitive Data Processing
Requirements for processing sensitive data.
Implementation Steps
- Obtain consent
- Implement controls
- Document processing
- Regular reviews
- Staff training
Required Documentation
- Consent records
- Processing procedures
- Control documentation
- Review logs
- Training materials
Enforcement & Penalties
Attorney General Enforcement
The Virginia Attorney General has exclusive authority to enforce the VCDPA.
Penalty Categories
Civil Penalties
Up to $7,500 per violation
For each violation of the Act
Injunctive Relief
Court Orders
Orders to cease violations
Recovery of Expenses
Varies
Reasonable expenses, including attorney fees
Example Cases
Example Case 1
$100,000
2023 - Multiple violations of consumer rights
Example Case 2
$75,000
2023 - Failure to conduct required assessments
Cure Period
30-day opportunity to cure violations.
Penalty Categories
Initial Notice
No immediate penalty
30-day opportunity to cure violation
Failure to Cure
Up to $7,500 per violation
If violation not cured within 30 days
Example Cases
Example Case 3
Cured - No Fine
2023 - Violation remedied within cure period
Example Case 4
$50,000
2023 - Failed to cure violation within 30 days