Checklist: Is Your Business Subject to the VCDPA?

Virginia’s Consumer Data Protection Act (VCDPA) – which went into effect Jan. 1, 2023 – is the second state-based comprehensive consumer data privacy law in the U.S. The act creates rights and obligations related to the collection and processing of personal data of Virginia consumers.

While the law generally applies to organizations that do business in Virginia or offers products and services targeted to Virginia residents, it lays out an array of exemptions for various types of entities.

The following questionnaire is intended to help organizations determine whether the VCDPA applies to their operations; it is not meant to provide a comprehensive assessment of the law’s applicability in every case.

[Download the full questionnaire as a PDF.]

Who does the VCDPA apply to?

The VCDPA imposes obligations on persons or businesses that check “yes” to both of the following questions.

1. Do you conduct business in the Commonwealth of Virginia, or do you produce goods or offer services that are targeted to Virginia residents?

□ Yes
□ No

2. During a calendar year, do you either:

• • Control or process the personal data of at least 100,000 Virginia residents, OR
  • Control or process the personal data of at least 25,000 Virginia residents and derive more than 50 percent of your gross revenue from the sale of personal data?

□ Yes
□ No

VCDPA exemptions

If your organization answers “yes” to any items listed in questions 3 through 10, it falls within a statutorily recognized exemption.

1. Are you a corporation organized under the Virginia Nonstock Corporation Act (Va. Code § 13.1-801 et seq.)?

□ Yes
□ No

2. Are you an organization exempt from taxation under 26 U.S.C. § 501(c)(3), 501(c)(6), or 501(c)(12) of the federal Internal Revenue Code?

□ Yes
□ No

3. Are you a subsidiary or an affiliate of an entity organized pursuant to Title 56, Chapter 9.1 of Va. Code § 56-231.15 et seq.?

□ Yes
□ No

4. Are you a nonprofit private institution of higher education in the Commonwealth of Virginia or a proprietary private institution of higher education as defined in Va. Code § 23.1-100?

□ Yes
□ No

5. Are you a public institution of higher education, which includes the Virginia Community College System as well as each associate-degree-granting and baccalaureate public institution of higher education in the Commonwealth of Virginia?

□ Yes
□ No

6. Are you a body, authority, board, bureau, commission, district, or agency of the Commonwealth of Virginia or of any political subdivision of the commonwealth?

□ Yes
□ No

7. Are you a financial institution subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.)?

□ Yes
□ No

8. Are you a covered entity or business associate governed by HIPAA’s privacy, security, and breach notification rules?

□ Yes
□ No

Navigate privacy law compliance with confidence with Bloomberg Law

If you do business in Virginia, it’s important that you stay in compliance with the new VCDPA requirements for collecting and processing the data of Virginia consumers. Download this questionnaire to stay ahead of how the law and its exemptions may apply to your business operations.

As more states enact consumer data privacy laws, legal professionals will need to stay on top of the dynamic field of state privacy laws and requirements, and how they apply to various organizations. Provide sound counsel to your clients and stakeholders with expert analysis, comprehensive coverage, news, and practice tools from Bloomberg Law. See it for yourself. Request a demo.