Virginia Consumer Data Protection Act: What you need to know

Privacy Policy

Virginia Consumer Data Protection Act

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

Virginia Consumer Data Protection Act

As consumers become more interested in the privacy of their personal data online, more and more states are proposing and passing their own privacy bills. These bills provide consumers with certain privacy rights, require websites to have a Privacy Policy that makes very specific disclosures, and impose heavy fines for non-compliance. With more than twenty proposed privacy bills, it is more important than ever to keep an eye out on these changing compliance requirements.

On March 3, 2021, VA S 1392, the Virginia Consumer Data Protection Act (VCDPA) was signed into law. In this article, we will discuss all that you need to know about the Virginia Consumer Data Protection Act, including who it applies to, how it defines “personal data,” the rights that it provides to consumers, and its enforcement mechanisms so that you can be ahead of the curve on preparing for this law.

Virginia Consumer Data Protection Act: Who it applies to

All of the privacy laws in the United States have a broad reach, potentially applying to business outside of the state or country in which they are passed, and VCDPA is no exception. The law applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents and that meet one or more of the following factors:

  • During a calendar year, control or process the personal data of at least 100,000 Virginia consumers; or
  • Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

While at first glance, the law may seem to apply to larger businesses only, VCDPA defines “personal data” as “any information that is linked or is reasonably linkable to an identified or identifiable natural person.” Thus, if your website gets quite a few form submissions each year, you can easily meet this threshold. In addition, you may also be required to comply with this law if you are a vendor for a larger company that does meet the above thresholds.

Consumer rights

Virginia consumers are provided with the following privacy rights under this law:

  • To confirm whether the consumer’s personal data is processed and to access such personal data;
  • To correct inaccuracies in the consumer’s personal data;
  • To delete the consumer’s personal data;
  • To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller; and
  • To opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling.

The Virginia Consumer Data Protection Act requires controllers to respond to consumer requests to exercise their privacy rights within 45 days, making it imperative to develop streamlined procedures for responding to such requests.

Virginia Consumer Data Protection Act: Privacy Policy requirements

Similar to other privacy laws, VCDPA requires businesses to have an accessible, clear, and meaningful Privacy Policy that includes the following disclosures:

  • The categories of personal data processed;
  • The purposes of processing the personal data;
  • How consumers can exercise their privacy rights, including how a consumer can appeal your decision regarding their request;
  • The categories of personal data that you share with third parties, if any;
  • Whether you sell personal data or process personal data for targeted advertising, as well as how the consumer can opt out of such processing; and
  • One or more secure and reliable means for consumers to submit a request to exercise their privacy rights.

As you can see from the above list, this law requires updates to the Privacy Policies of many businesses.


The Virginia Consumer Data Protection Act is enforced by Virginia’s Attorney General. Upon the finding of a violation (e.g. not having a Privacy Policy), a company would have 30 days to cure the violation. Failure to cure would allow the Attorney General to issue fines of up to $7,500 per violation. In this case, “per violation” would mean per website visitor from Virginia whose privacy rights were infringed upon, meaning that fines could quickly add up to large sums.

Termageddon customer had their Privacy Policies automatically updated (as needed) prior to January 1st, 2023, which was the law’s effective date. If you are not already a Termageddon customer, check out our Privacy Policy generator to create a Privacy Policy that will update before this law goes into effect.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates