VCDPA — Virginia's Privacy Law
Virginia Consumer Data Protection Act: what it requires, who it applies to, and what it means for consent.
The Virginia Consumer Data Protection Act (VCDPA) was the second comprehensive state privacy law in the US, after California. Effective January 1, 2023. Enforced by the Virginia Attorney General.
It follows the CCPA pattern but is narrower in scope and lighter on obligations.
Who must comply
The VCDPA applies to businesses that conduct business in Virginia or produce products/services targeted at Virginia residents, AND either:
- Process the personal data of 100,000+ consumers per year, or
- Process the data of 25,000+ consumers AND derive 50%+ of revenue from the sale of personal data
Small businesses and nonprofits are generally exempt.
Consumer rights
Virginians have the right to:
- Know whether their data is being processed
- Access their data
- Correct inaccuracies
- Delete their data
- Data portability: obtain a copy in a portable format
- Opt out of: targeted advertising, sale of personal data, profiling with legal/significant effects
Consent requirements
The VCDPA uses an opt-out model for most data. Prior consent is NOT required for basic data collection. However:
- Sensitive data requires explicit opt-in consent
- Sensitive data includes: race, ethnicity, religion, health, sexual orientation, citizenship status, biometric data, genetic data, precise geolocation, and data of children under 13
- “Sensitive data” also includes data about a known child, any data from someone the business actually knows is under 13
Obligations
Businesses must:
- Provide a clear privacy notice with categories of data collected, purposes, and consumer rights
- Conduct data protection assessments for high-risk processing (targeted ads, sale of data, sensitive data, profiling)
- Honor opt-out requests within 45 days (extendable once)
- Have a universal opt-out mechanism starting 2025, which in practice means honoring Global Privacy Control browser signals
- Establish data security practices appropriate to the volume and sensitivity of data
No private right of action
Unlike CCPA, the VCDPA has no private right of action. Only the Virginia AG can enforce it. This significantly reduces litigation risk compared to California.
How Zest handles it
Zest provides the opt-out mechanisms, sensitive data consent collection, and cookie controls required under VCDPA. The consent banner can be configured to serve Virginia-appropriate compliance: strong opt-out, explicit consent for sensitive data, and GPC signal detection.