SecurePrivacy Logo

Virginia Consumer Data Protection Act (VCDPA)

View Law Text
Maximum Fine
$7,500 per violation
Scope
State
Regulator
AG
Status
Active

Need Help with Virginia Consumer Data Protection Act (VCDPA) Compliance?

Get expert guidance on implementing VCDPA requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Virginia Consumer Data Protection Act establishes comprehensive privacy rights for Virginia residents and obligations for businesses processing personal data.

Key Facts

  • Effective January 1, 2023
  • Enforced by Virginia Attorney General
  • Includes consumer rights and business obligations
  • Requires data protection assessments
  • Provides 30-day cure period

Key Principles

Consumer Rights

Rights granted to Virginia residents regarding their personal data.

Requirements

  • Right to access
  • Right to delete
  • Right to correct
  • Right to data portability
  • Right to opt-out of targeted advertising
  • Right to opt-out of sales
  • Right to opt-out of profiling

Examples

  • Access request procedures
  • Deletion mechanisms
  • Correction processes
  • Data portability tools
  • Opt-out systems

Transparency

Clear disclosure requirements for controllers.

Requirements

  • Privacy notice requirements
  • Processing disclosures
  • Categories of data
  • Sharing practices
  • Consumer rights information

Examples

  • Privacy policies
  • Rights notifications
  • Processing disclosures
  • Data sharing notices

Data Protection

Requirements for protecting personal data.

Requirements

  • Data protection assessments
  • Reasonable security
  • Processing limitations
  • Purpose specification
  • Data minimization

Examples

  • Security measures
  • Assessment procedures
  • Processing records
  • Purpose documentation

Compliance Requirements

Data Protection Assessments

Required assessments for certain processing activities.

Implementation Steps

  • Identify processing requiring assessment
  • Conduct risk analysis
  • Document findings
  • Implement controls
  • Regular reviews

Required Documentation

  • Assessment procedures
  • Risk analyses
  • Control documentation
  • Review records
  • Mitigation plans

Consumer Request Handling

Procedures for handling consumer rights requests.

Implementation Steps

  • Establish request procedures
  • Implement verification methods
  • Set response timelines
  • Train staff
  • Document responses

Required Documentation

  • Request procedures
  • Verification methods
  • Response templates
  • Training materials
  • Request logs

Sensitive Data Processing

Requirements for processing sensitive data.

Implementation Steps

  • Obtain consent
  • Implement controls
  • Document processing
  • Regular reviews
  • Staff training

Required Documentation

  • Consent records
  • Processing procedures
  • Control documentation
  • Review logs
  • Training materials

Enforcement & Penalties

Attorney General Enforcement

The Virginia Attorney General has exclusive authority to enforce the VCDPA.

Penalty Categories

Civil Penalties
Up to $7,500 per violation
For each violation of the Act
Injunctive Relief
Court Orders
Orders to cease violations
Recovery of Expenses
Varies
Reasonable expenses, including attorney fees

Example Cases

Example Case 1
$100,000
2023 - Multiple violations of consumer rights
Example Case 2
$75,000
2023 - Failure to conduct required assessments

Cure Period

30-day opportunity to cure violations.

Penalty Categories

Initial Notice
No immediate penalty
30-day opportunity to cure violation
Failure to Cure
Up to $7,500 per violation
If violation not cured within 30 days

Example Cases

Example Case 3
Cured - No Fine
2023 - Violation remedied within cure period
Example Case 4
$50,000
2023 - Failed to cure violation within 30 days