Quick Answer: Virginia's Consumer Data Protection Act (VCDPA) is a comprehensive state privacy law that took effect January 1, 2023, requiring businesses that meet specific revenue or data-processing thresholds to honor consumer rights over personal data. East Coast businesses, even those headquartered outside Virginia, must comply if they serve Virginia residents at scale. As of July 1, 2026, the law was further strengthened with a ban on the sale of precise geolocation data under SB 338.
Key Takeaways
- The VCDPA applies to any business controlling or processing data of 100,000+ Virginia consumers annually, or 25,000+ consumers if 50% or more of revenue comes from selling personal data.
- Virginia consumers have six core rights: access, correction, deletion, portability, opt-out of targeted advertising/sale/profiling, and the right to appeal a denied request.
- The Virginia Attorney General holds exclusive enforcement authority; there is no private right of action under the VCDPA.
- Civil penalties can reach $7,500 per intentional violation, with a 30-day cure period (which sunsets after January 1, 2026).
- As of July 1, 2026, SB 338 prohibits the sale of precise geolocation data, adding a significant new obligation for data brokers and ad-tech companies.
- Sensitive data categories (biometric, health, racial/ethnic origin, precise geolocation, etc.) require explicit opt-in consent before processing.
- Unlike the GDPR, the VCDPA does not require a legal basis for processing general personal data, but it does require data protection assessments for high-risk activities.
- Small businesses below the thresholds are exempt, but those that process sensitive data or sell personal data should review their exposure carefully.
- A consent management platform such as Biscotti CMP can help automate opt-out signal handling and consent records.
- Privacy policies must clearly disclose data categories collected, purposes, third-party sharing, and all consumer rights under the VCDPA.
What Is the Virginia Consumer Data Protection Act and How Does It Work
The VCDPA is Virginia's comprehensive consumer privacy statute, codified at Title 59.1, Chapter 53 of the Virginia Code, and effective January 1, 2023 [10]. It establishes a framework of consumer rights and corresponding business obligations modeled loosely on the EU's GDPR, though with notable structural differences suited to a U.S. commercial context.
The law operates on a controller-processor model. Controllers (entities that determine the purpose and means of processing) bear the primary compliance burden. Processors (vendors handling data on a controller's behalf) must operate under a data processing agreement and follow the controller's documented instructions [1].
Key mechanics include:
- Mandatory response to consumer rights requests within 45 days (extendable by another 45 days with notice)
- Required data protection assessments for processing that presents heightened risk
- Contractual obligations between controllers and processors
- Opt-in consent required for sensitive data; opt-out rights for targeted advertising and data sales [8]
When Does the VCDPA Go Into Effect for Businesses
The VCDPA became effective January 1, 2023 for all covered businesses [5]. There was no phased rollout by business size, unlike California's CPRA. If a business met the thresholds on or after that date, compliance was immediately required.
The most recent amendment, SB 338, added a ban on selling precise geolocation data, effective July 1, 2026 [2][3]. This means businesses that monetize location data, including data brokers, ad networks, and mobile app publishers serving Virginia consumers, faced a new hard deadline this year.
Who Has to Comply with Virginia's VCDPA Requirements
The VCDPA applies to for-profit entities that conduct business in Virginia or produce products/services targeted to Virginia residents and meet at least one of two thresholds [8][10]:
| Threshold | Condition |
|---|---|
| Volume-based | Control or process data of 100,000+ Virginia consumers per calendar year |
| Revenue-based | Control or process data of 25,000+ consumers AND derive 50%+ of gross revenue from selling personal data |
Exempt entities and data types include:
- Nonprofit organizations
- Higher education institutions
- Financial institutions subject to GLBA
- HIPAA-covered entities and business associates (for HIPAA-regulated data)
- Government entities
- Employee and B2B contact data (in the context of employment or commercial transactions)
The law does not require a physical presence in Virginia. An e-commerce company based in New York, a SaaS provider in Massachusetts, or a marketing agency in Florida can all fall within scope if they process Virginia consumer data at the required volume [1].
Does the VCDPA Apply to My Business If I'm Not in Virginia
Yes, geographic location of the business is irrelevant. The VCDPA's scope is determined by where the consumers are located, not where the business operates [7]. Any East Coast business with a substantial Virginia customer base should assess its data volumes against the thresholds above.
Practical example: A Baltimore-based e-commerce retailer selling to 150,000 customers annually, a significant portion of whom are Virginia residents, likely crosses the 100,000-consumer threshold and must comply.
What Data Does the VCDPA Actually Protect and Cover
The VCDPA covers personal data, defined as any information that is linked or reasonably linkable to an identified or identifiable natural person [10]. This excludes de-identified data and publicly available information.
Sensitive data is a distinct, higher-protection category requiring opt-in consent before processing [8]:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnoses
- Sexual orientation or gender identity
- Immigration status
- Genetic or biometric data processed for unique identification
- Personal data of a known child (under 13)
- Precise geolocation data (and as of July 1, 2026, such data cannot be sold at all) [2]

What Are the Main Obligations for Businesses Under VCDPA
Controllers must fulfill six categories of obligation under Virginia's VCDPA: What East Coast Businesses Need to Know About Data Protection starts here in practical terms.
- Transparency: Provide a reasonably accessible, clear privacy notice disclosing data categories, processing purposes, third-party sharing, and consumer rights [7].
- Consumer rights fulfillment: Respond to access, correction, deletion, portability, and opt-out requests within 45 days.
- Purpose limitation: Collect only data adequate and relevant to the disclosed purpose.
- Data security: Implement reasonable administrative, technical, and physical safeguards.
- Non-discrimination: Do not deny goods/services or charge different prices solely because a consumer exercised a privacy right.
- Data protection assessments: Conduct and document assessments for targeted advertising, data sales, sensitive data processing, profiling with legal/significant effects, and certain high-risk activities [1][9].
Controllers must also honor universal opt-out mechanisms (such as browser-based Global Privacy Control signals) for targeted advertising and data sales, a requirement phased in under Virginia's amendments [6].
What Are Consumer Rights Under VCDPA That Businesses Need to Support
Virginia consumers hold six enforceable rights [8][10]:
- Right to access: Confirm whether their data is being processed and obtain a copy.
- Right to correction: Correct inaccuracies in their personal data.
- Right to deletion: Request deletion of personal data they provided or that was collected about them.
- Right to data portability: Receive a portable copy in a readily usable format.
- Right to opt out: Opt out of targeted advertising, the sale of personal data, and profiling for decisions with legal or significant effects.
- Right to appeal: If a business denies a request, consumers can appeal, and the business must respond within 60 days of the appeal.
Businesses must provide at least two methods for submitting requests (e.g., a web form and a toll-free number or email address) [9].
How Much Do VCDPA Compliance Violations Cost in Fines and Penalties
The Virginia Attorney General can impose civil penalties of up to $7,500 per intentional violation and up to $2,500 per unintentional violation [8][10]. Penalties can also include injunctive relief and attorney's fees.
Critically, the VCDPA originally included a 30-day cure period, businesses could fix violations before penalties were assessed. However, that cure period sunset on January 1, 2026, meaning the Attorney General now has discretion to pursue enforcement without offering a cure opportunity [6].
There is no private right of action, so individual consumers cannot sue businesses directly under the VCDPA. Enforcement is exclusively through the Office of the Attorney General.
How Is VCDPA Different from CCPA and What's the Difference from GDPR for East Coast Companies
Understanding Virginia's VCDPA: What East Coast Businesses Need to Know About Data Protection requires placing it in comparative context.
| Feature | VCDPA | CCPA/CPRA | GDPR |
|---|---|---|---|
| Private right of action | No | Limited (data breaches) | Yes (member states vary) |
| Opt-in for sensitive data | Yes | No (opt-out model) | Yes |
| Cure period | Expired Jan 2026 | Expired Jan 2023 | Not applicable |
| Max penalty per violation | $7,500 | $7,500 | Up to 4% global revenue |
| Data Protection Assessments | Required (high-risk) | Required (high-risk) | Required (DPIAs) |
| Legal basis for processing | Not required (general data) | Not required | Required (6 lawful bases) |
Key takeaway for East Coast businesses: The VCDPA is less burdensome than the GDPR in terms of legal basis requirements, but more prescriptive than the original CCPA on sensitive data consent. Businesses already GDPR-compliant will find VCDPA adaptation manageable; those only familiar with CCPA need to adjust their sensitive data workflows.
Do Small Businesses Need to Comply with Virginia's VCDPA
Small businesses below the 100,000-consumer or 25,000-consumer-plus-revenue thresholds are not required to comply with the VCDPA [10]. This is a meaningful exemption that distinguishes Virginia's law from some international frameworks.
However, "small" is relative. A niche SaaS tool with 110,000 free-tier Virginia users crosses the volume threshold regardless of revenue. Businesses should:
- Audit actual consumer data volumes annually
- Track whether data sales constitute 50%+ of revenue
- Reassess thresholds as the business scales
Even exempt businesses benefit from building privacy-forward practices early, as compliance retrofitting is consistently more expensive than proactive design.
What Are Common Mistakes Companies Make with VCDPA Compliance
1. Misclassifying processors as controllers (or vice versa). Vendors who make independent decisions about data use are controllers, not processors. Misclassification leads to inadequate contractual protections and unaddressed obligations.
2. Ignoring universal opt-out signals. Many businesses built opt-out flows only for manual requests, overlooking the requirement to honor browser-level signals like Global Privacy Control [6].
3. Failing to update data processing agreements. The VCDPA requires specific contractual provisions between controllers and processors. Generic vendor contracts often lack them [1].
4. Treating sensitive data like general personal data. Processing biometric, health, or precise geolocation data without opt-in consent is a distinct violation, not just a procedural gap.
5. Assuming the cure period still applies. With the cure period expired as of January 2026, businesses can no longer rely on a correction window before enforcement action [6].
6. Omitting the appeal mechanism. Many privacy policies and request workflows lack a documented appeals process, which is a required element under the VCDPA [9].
How Do I Audit My Business for VCDPA Readiness
A VCDPA readiness audit should cover five domains:
- Threshold assessment: Map all Virginia consumer data flows and calculate annual processing volumes against the statutory thresholds.
- Data inventory: Catalog all personal data categories collected, their sources, purposes, retention periods, and third-party recipients.
- Sensitive data review: Identify any sensitive data categories and confirm opt-in consent mechanisms are in place.
- Rights infrastructure: Test all six consumer rights workflows end-to-end, including the appeals process.
- Vendor contracts: Review all processor agreements for VCDPA-required provisions (processing instructions, confidentiality, subprocessor controls, audit rights) [7].
For businesses managing consent across multiple digital touchpoints, a consent management platform such as Biscotti CMP can centralize opt-out signal handling and maintain auditable consent records, supporting both VCDPA and multi-state compliance programs.
What Should My Privacy Policy Say to Be VCDPA Compliant
A VCDPA-compliant privacy policy must disclose [8][9]:
- The categories of personal data processed
- The purpose for processing each category
- How consumers can exercise their six rights, including the appeal process
- Whether personal data is sold or used for targeted advertising (with opt-out instructions)
- The categories of third parties with whom data is shared
- Contact information for submitting requests (at least two methods)
- If sensitive data is processed, the basis for doing so (opt-in consent)
Policies should be written in plain language, be reasonably accessible (linked prominently on websites and apps), and be updated whenever data practices materially change.
Conclusion and Actionable Next Steps
Virginia's VCDPA represents one of the most substantive state privacy frameworks in the United States, and the July 2026 addition of a precise geolocation data sale ban signals that Virginia's legislature intends to keep strengthening it. For East Coast businesses, the law's extraterritorial reach means that geography is no defense, data volume and processing purpose determine exposure.
Actionable steps for 2026:
- Run a threshold analysis against your current Virginia consumer data volumes before year-end.
- Audit all sensitive data workflows, particularly any involving precise geolocation, biometric, or health data, for opt-in consent compliance.
- Confirm your privacy policy includes all six consumer rights and a documented appeals mechanism.
- Review processor agreements for VCDPA-required contractual provisions.
- Implement or verify universal opt-out signal handling (Global Privacy Control) across your digital properties.
- Consider a consent management solution such as Biscotti CMP to automate consent collection, opt-out signal processing, and compliance documentation.
- Schedule annual threshold reassessments as your business scales.
The cure period is gone. Enforcement is live. Businesses that treat VCDPA compliance as a one-time checkbox rather than an ongoing operational discipline face the greatest risk.
FAQ
Q: Does the VCDPA apply to nonprofits? No. Nonprofit organizations are explicitly exempt from the VCDPA's requirements [10].
Q: Can a Virginia consumer sue my business directly under the VCDPA? No. The VCDPA has no private right of action. Only the Virginia Attorney General can bring enforcement actions [8].
Q: What is the deadline to respond to a consumer rights request? Businesses must respond within 45 days of receiving a verifiable request. A one-time 45-day extension is permitted if the business notifies the consumer of the delay and the reason [9].
Q: Is employee data covered by the VCDPA? Employee data processed in the context of employment is exempt under the VCDPA. However, this exemption is narrowly construed and does not cover all HR-adjacent data uses [1].
Q: What counts as "selling" personal data under the VCDPA? The VCDPA defines "sale" as the exchange of personal data for monetary consideration. Unlike the CCPA, it does not extend to non-monetary valuable consideration, which is a meaningful distinction for ad-tech arrangements [5].
Q: Do I need a Data Protection Officer under the VCDPA? No. The VCDPA does not require appointment of a Data Protection Officer, unlike the GDPR [7].
Q: What changed with SB 338 in 2026? SB 338, effective July 1, 2026, prohibits the sale of precise geolocation data, adding a new categorical restriction beyond the general opt-out framework that previously governed such data [2][3].
Q: How does the VCDPA define "precise geolocation"? Precise geolocation means data derived from technology that identifies a consumer's location within a radius of 1,750 feet or less [10].
Q: Are data protection assessments required for all processing activities? No. Assessments are required only for high-risk processing: targeted advertising, data sales, sensitive data processing, profiling with legal/significant effects, and processing that presents a heightened risk of harm [1][9].
Q: What happens if a consumer appeals a denied request? The business must complete the appeal review within 60 days and inform the consumer of the outcome. If the appeal is denied, the business must provide information on how the consumer can contact the Attorney General [8].
Interactive VCDPA Compliance Threshold Checker
References
[1] Virginia Consumer Data Protection Act Guide - https://privacylawmap.com/blog/virginia-consumer-data-protection-act-guide
[2] Virginia Expands VCDPA With Ban On Sale of Precise Geolocation Data - https://www.jdsupra.com/legalnews/virginia-expands-vcdpa-with-ban-on-sale-7091146/
[3] VCDPA Amended - https://www.cblaw.com/vcdpa-amended
[4] Virginia CDPA - https://clearlaunch.dev/cs/regulations/virginia-cdpa
[5] Virginia Consumer Data Protection Act (VCDPA) - https://pro.bloomberglaw.com/insights/privacy/virginia-consumer-data-protection-act-vcdpa/
[6] VCDPA Amendment Process Complete: Text Finalized Ahead of Jan 1 Effective Date - https://iapp.org/news/a/vcdpa-amendment-process-complete-text-finalized-ahead-of-jan-1-effective-date
[7] Consumer Data Privacy Law Guide: Virginia - https://www.bakerdonelson.com/consumer-data-privacy-law-guide-virginia
[8] Virginia Consumer Data Protection Act Summary - https://www.oag.state.va.us/consumer-protection/files/tips-and-info/Virginia-Consumer-Data-Protection-Act-Summary-2-2-23.pdf
[9] VCDPA Overview - https://termly.io/resources/articles/vcdpa/
[10] Virginia Code Title 59.1, Chapter 53 - https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/