Virginia did not exactly copy California’s privacy homework, but it definitely sat close enough to peek. With the Virginia Consumer Data Protection Act, commonly called the VCDPA or CDPA, the Commonwealth became one of the earliest U.S. states to adopt a broad consumer privacy law modeled in part on the California Consumer Privacy Act. The result is a law that gives Virginia residents more control over their personal data while requiring many businesses to clean up their data practices, update privacy notices, and stop treating customer information like loose change in a couch cushion.
The law was signed in 2021 and became effective on January 1, 2023. It arrived at a time when the United States still lacked a single comprehensive federal privacy law, leaving states to build their own frameworks. California went first with the CCPA, then strengthened it through the CPRA. Virginia followed with a somewhat leaner, business-friendlier approach that still introduced serious privacy rights, controller obligations, processor contracts, data protection assessments, and Attorney General enforcement.
For consumers, the message is simple: your data is not invisible just because it lives in a database. For businesses, the message is equally simple: if you collect, analyze, sell, target, profile, or store personal data at scale, “we have always done it this way” is no longer a compliance strategy. It is a flashing dashboard warning light.
What Is the Virginia Consumer Data Protection Act?
The Virginia Consumer Data Protection Act is a comprehensive state privacy law that governs how covered organizations collect and process personal data about Virginia residents. It uses privacy language familiar to anyone who has studied the GDPR: “controllers” decide why and how personal data is processed, while “processors” handle personal data on behalf of controllers.
The VCDPA protects “personal data,” meaning information linked or reasonably linkable to an identified or identifiable natural person. That can include names, account details, device identifiers, online behavior, precise location information, and other data points that can point back to a real person. De-identified data and publicly available information are generally excluded, but businesses should not wave the word “anonymous” around like a magic wand. If information can realistically be reconnected to a person, regulators may not be amused.
Virginia’s law applies to people acting in an individual or household context. It does not generally cover individuals acting in employment or commercial roles. That is one important difference from California’s expanded privacy regime, which now reaches deeper into employee and business-contact data.
Why Virginia’s Law Is Called “CCPA-like”
The phrase “CCPA-like” makes sense because Virginia’s law follows the same big-picture idea: consumers should know more about what companies do with their data and should have practical rights to access, delete, correct, and opt out of certain uses. Like California’s privacy law, the VCDPA focuses on transparency, consumer control, data minimization, and business accountability.
Still, Virginia did not create a carbon copy. The VCDPA has its own personality. Think of California as the privacy law with a huge rulebook, a whistle, and a clipboard. Virginia is more streamlined, but it still expects businesses to document high-risk processing, honor privacy rights, and stop pretending that a vague privacy policy written in legal fog counts as meaningful notice.
Who Must Comply With the VCDPA?
The Virginia privacy law applies to entities that conduct business in Virginia or produce products or services targeted to Virginia residents and meet one of two thresholds. First, the organization may be covered if it controls or processes personal data of at least 100,000 consumers during a calendar year. Second, it may be covered if it controls or processes data of at least 25,000 consumers and derives more than 50 percent of gross revenue from the sale of personal data.
This structure matters because the VCDPA does not simply apply to every business with a website. A tiny local bakery that keeps an email list probably does not need to panic into its mixing bowl. But a technology platform, large e-commerce company, data broker, app developer, advertising network, subscription service, or analytics-heavy business targeting Virginia residents should pay close attention.
The law also includes major exemptions. State and local government bodies, nonprofits, institutions of higher education, certain financial institutions subject to the Gramm-Leach-Bliley Act, and covered entities or business associates governed by HIPAA are generally outside the law’s main scope. The VCDPA also excludes several categories of regulated information, including certain health, credit, education, employment, and driver privacy data.
Consumer Rights Under Virginia’s Privacy Law
The VCDPA gives Virginia consumers a bundle of privacy rights that should feel familiar in the modern data-rights era. Consumers may ask a covered controller to confirm whether it is processing their personal data and may request access to that data. They may also request correction of inaccuracies, deletion of personal data provided by or obtained about them, and a portable copy of personal data they previously provided.
The opt-out right is especially important. Virginia consumers can opt out of processing for targeted advertising, the sale of personal data, and certain forms of profiling that produce legal or similarly significant effects. In plain English, if a company uses personal data to follow people around the internet with ads, sells qualifying personal data, or uses automated profiling in ways that affect access to important opportunities, the consumer may have a right to say, “No thanks, please stop.”
How Quickly Must Businesses Respond?
Controllers generally must respond to consumer requests within 45 days. If the request is complex or the company receives many requests, the controller may extend the response period once by another 45 days, as long as it informs the consumer within the initial response window. Responses must generally be free up to twice per year per consumer.
If a business refuses a request, it must explain why and provide instructions for appeal. If the appeal is denied, the company must tell the consumer how to contact the Virginia Attorney General. That appeal requirement is not decorative. It creates a paper trail, and in privacy compliance, paper trails are the seat belts of the legal world: boring until the moment you really need one.
What Counts as Sensitive Data?
The VCDPA places heightened protections around sensitive data. This includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data used to uniquely identify a person, personal data collected from a known child, and precise geolocation data.
Businesses must obtain consent before processing sensitive data. That means a company cannot quietly bury sensitive-data processing in a maze-like privacy policy and hope users brought snacks and a flashlight. Consent must be clear, affirmative, informed, specific, and unambiguous.
Business Obligations: More Than a Privacy Policy
One of the most important lessons of the Virginia consumer privacy law is that compliance is operational, not cosmetic. A business cannot simply paste “We value your privacy” at the top of a webpage and call it a day. Under the VCDPA, covered controllers must limit personal data collection to what is adequate, relevant, and reasonably necessary for disclosed purposes. They must also maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the data.
Controllers must provide clear privacy notices that explain categories of personal data processed, processing purposes, how consumers can exercise their rights, categories of personal data shared with third parties, and categories of third parties receiving the data. If a controller sells personal data or processes it for targeted advertising, that must be clearly disclosed, along with the method for opting out.
Processor Contracts Matter
The VCDPA also requires contracts between controllers and processors. These contracts must describe the nature and purpose of processing, the type of data involved, the processing duration, and the rights and obligations of both parties. They must also address confidentiality, deletion or return of personal data, subcontractor obligations, and cooperation with assessments.
For companies using cloud vendors, email platforms, analytics tools, customer support software, payment processors, marketing automation tools, or artificial intelligence services, this is a big deal. The privacy team may write the policy, but procurement, legal, marketing, engineering, and vendor management all end up at the same table. Ideally, someone brings coffee.
Data Protection Assessments: Virginia’s GDPR Flavor
One of the most significant parts of the Virginia privacy law is the requirement to conduct and document data protection assessments for certain high-risk processing activities. These include processing personal data for targeted advertising, selling personal data, processing sensitive data, profiling that creates reasonably foreseeable risks, and other processing activities that present a heightened risk of harm to consumers.
A data protection assessment weighs the benefits of processing against risks to consumer rights, considering safeguards that reduce those risks. In practice, this means businesses should ask hard questions before launching a new data project. What data are we collecting? Why do we need it? Could the same goal be achieved with less data? Are consumers likely to expect this use? Could the processing create discrimination, financial harm, reputational injury, or intrusive tracking?
This is where privacy becomes strategy. A company that maps risks early can avoid expensive redesigns later. A company that ignores risk until launch day may discover that “move fast and break things” is less charming when the broken thing is consumer trust.
How Virginia Differs From California
Virginia and California share the same broad privacy spirit, but their laws differ in important ways. California’s privacy framework includes a revenue threshold, while Virginia’s law focuses more on the volume of consumer data processed and revenue from the sale of personal data. California also has a dedicated privacy agency, while Virginia enforcement belongs exclusively to the Attorney General.
Another major difference is the definition of “sale.” Virginia defines the sale of personal data as an exchange for monetary consideration. California’s approach is broader because it can include sharing or disclosing personal information for other valuable consideration, especially after CPRA changes. That means some advertising and data-sharing practices may trigger obligations in California that do not fit Virginia’s narrower sale definition, although Virginia’s targeted advertising opt-out still reaches many digital advertising practices.
Virginia also does not create a private right of action. Consumers cannot sue companies directly for VCDPA violations under the law itself. Instead, enforcement is handled by the Attorney General. In contrast, California allows a limited private right of action for certain data breaches under the CCPA framework.
Enforcement and Penalties
The Virginia Attorney General has exclusive authority to enforce the VCDPA. Before bringing an action, the Attorney General generally must provide 30 days’ written notice identifying the alleged violation. If the controller or processor cures the violation within that period and provides a written statement that the issue has been fixed and will not recur, the Attorney General may not initiate an action based on that noticed violation.
If a company fails to cure the violation or breaks its written promise, the Attorney General may seek injunctions and civil penalties of up to $7,500 per violation. That number can become serious quickly. One violation sounds manageable; thousands of affected consumers turn the calculator into a horror movie prop.
What the VCDPA Means for Consumers
For Virginia residents, the VCDPA creates a more practical path to understanding and controlling personal data. A consumer can ask a business what data it has, request correction, request deletion, obtain a portable copy, and opt out of targeted advertising, sales, and certain profiling. These rights are not theoretical. They give consumers tools to challenge outdated profiles, reduce unwanted tracking, and limit some data-driven decision-making.
For example, a Virginia resident using a fitness app may want to know whether the company collects precise geolocation data or shares wellness-related information with advertising partners. A shopper may want to opt out of targeted advertising after browsing medical supplies or financial products. A parent may want to understand whether a child-directed service processes a known child’s personal data and whether parental consent is required.
What the VCDPA Means for Businesses
For businesses, the Virginia law is a reminder that privacy compliance is no longer only a California problem. A company selling products nationally may need to comply with multiple state privacy laws at once. The smartest approach is not to build a separate privacy program for every state like a house of cards in a wind tunnel. Instead, many organizations create a baseline privacy framework that can satisfy common requirements across Virginia, California, Colorado, Connecticut, Utah, and other state laws, then layer in state-specific differences.
A practical VCDPA compliance program usually starts with data mapping. Businesses need to know what personal data they collect, where it comes from, where it goes, who can access it, how long it is retained, and whether it is used for targeted advertising, sale, profiling, or sensitive-data processing. Without a data map, privacy compliance becomes guesswork in a blazer.
Next, companies should update privacy notices, build consumer request workflows, revise vendor contracts, implement opt-out mechanisms, evaluate sensitive-data consent, and conduct data protection assessments for high-risk activities. They should also train customer support and marketing teams, because privacy requests often arrive through ordinary channels, not neatly labeled “official legal request, please route to counsel.”
Children’s Privacy and Newer Virginia Developments
Virginia’s privacy law has continued to evolve. Amendments have strengthened protections involving children’s data, including requirements tied to known children under 13 and data protection assessments for online services, products, or features directed to children. Virginia also adopted a social media provision aimed at limiting minors under 16 to one hour per day per service or application unless parents adjust the limit. However, that social media restriction became the subject of litigation, and enforcement was blocked by a federal court while the dispute moved through the legal process.
These developments show that privacy law is no longer just about cookies and email lists. It now touches youth safety, mental health debates, algorithmic feeds, age verification, parental consent, free speech, and platform design. In other words, privacy law walked into the tech policy party and brought a very large suitcase.
Common Compliance Mistakes to Avoid
One common mistake is assuming that a privacy policy alone equals compliance. A privacy policy is only the front door. Behind it, the company still needs request-handling processes, authentication rules, vendor contracts, opt-out tools, consent records, retention limits, and security safeguards.
Another mistake is failing to distinguish between personal data, sensitive data, de-identified data, and publicly available information. These categories matter. Sensitive data triggers consent obligations, while de-identified data requires controls against re-identification. Treating all data the same may feel easier, but privacy law enjoys making “easy” expensive.
A third mistake is overlooking targeted advertising. Many businesses do not think of themselves as data companies, yet they use pixels, analytics scripts, ad platforms, customer match tools, and retargeting campaigns. Under Virginia’s law, targeted advertising is a key opt-out category. Marketing teams should know exactly what tools they use and what data flows through them.
Practical Examples of the VCDPA in Action
Consider an online clothing retailer that targets Virginia customers and processes data from more than 100,000 consumers. It uses browsing history to recommend products, email behavior to segment customers, and advertising pixels to retarget shoppers on other websites. Under the VCDPA, the retailer should disclose its personal data practices, provide a way to exercise rights, honor opt-outs for targeted advertising, and assess whether any high-risk processing requires documentation.
Now consider a mobile app that collects precise geolocation data to provide location-based recommendations. If that data is sensitive under Virginia law, the app should obtain proper consent before processing it. If the same app uses location patterns for profiling or targeted advertising, additional opt-out and assessment obligations may apply.
Finally, consider a software company that processes customer data only as a service provider for another business. It may be a processor rather than a controller, but that does not mean it can nap through compliance. It still needs contractual commitments, confidentiality protections, security practices, and cooperation with the controller’s obligations.
Experience-Based Insights: What Virginia’s Privacy Law Feels Like in the Real World
In practice, the Virginia Consumer Data Protection Act feels less like a single legal checklist and more like a company-wide maturity test. The first surprise many organizations face is that nobody has a complete map of the data. Marketing knows about ad platforms. Product knows about analytics events. Customer support knows about tickets. Engineering knows about logs. Finance knows about billing data. Legal knows everyone should have written this down yesterday. The VCDPA forces those teams to talk to one another, which can be awkward at first but extremely useful.
The second experience is that consumer rights sound simple until real requests arrive. “Delete my data” can involve customer profiles, backup systems, purchase records, email tools, support chats, analytics identifiers, and fraud-prevention records. Some data may need to be deleted. Some may need to be retained for legal or security reasons. Some may have come from sources other than the consumer. The business must respond clearly, authenticate the requester, and explain any denial. That requires a workflow, not a shrug.
The third lesson is that privacy notices become much better when written by people who understand the actual product. A generic policy stuffed with broad phrases may technically cover everything and explain almost nothing. A stronger notice tells consumers what data is collected, why it is used, what choices they have, and how to act on those choices. Plain language is not the enemy of legal accuracy. In fact, it may be the only way ordinary people can understand what is happening without needing a law degree and a gallon of coffee.
The fourth real-world experience is vendor cleanup. Many companies discover that old contracts do not say enough about data processing, confidentiality, subcontractors, deletion, audits, or cooperation with consumer requests. Updating these agreements can feel tedious, but it often reduces risk far beyond Virginia. A well-built vendor process can help with multiple state privacy laws, security reviews, and customer trust.
The fifth lesson involves targeted advertising. Businesses often underestimate how much personal data flows through advertising technology. A simple retargeting campaign may involve cookies, device identifiers, browsing activity, third-party platforms, and cross-site behavior. Under the VCDPA, that activity may require clear disclosure and an opt-out mechanism. The privacy team and marketing team should not meet for the first time after a complaint lands.
The most valuable experience, however, is cultural. Companies that treat privacy as a last-minute legal chore usually struggle. Companies that treat privacy as part of product design move faster with fewer surprises. They ask better questions early: Do we need this data? Can we reduce it? How long should we keep it? Would a consumer expect this use? What could go wrong? Those questions do not kill innovation. They make innovation sturdier.
Conclusion
Virginia’s adoption of a CCPA-like consumer privacy law marked an important turning point in U.S. privacy regulation. The VCDPA showed that comprehensive privacy rules were no longer a California-only experiment. By giving consumers rights to access, correct, delete, port, and opt out, Virginia pushed businesses toward greater transparency and accountability. By requiring data protection assessments, processor contracts, consent for sensitive data, and reasonable security practices, the law moved privacy from the legal department into daily operations.
For consumers, the law offers meaningful tools to understand and limit how personal data is used. For businesses, it creates both obligations and opportunities. The obligation is to comply. The opportunity is to earn trust in a market where people are increasingly tired of feeling tracked, profiled, and sorted by invisible systems. Privacy is no longer just a policy link in the footer. In Virginia, it is part of doing business.
Note: This article is for general informational and editorial purposes only. It is not legal advice. Businesses should consult qualified privacy counsel when applying the VCDPA or any state privacy law to specific operations.
