What Is the Virginia Consumer Data Protection Act (VCDPA)?

December 28, 2022

On March 2, 2021, Virginia Gov. Ralph Northam (D) signed the Virginia Consumer Data Protection Act (VCDPA) into law, making Virginia the second state after California to officially enact comprehensive consumer privacy legislation. The VCDPA went into effect Jan. 1, 2023.

Elevate your understanding of all U.S. consumer privacy legislation. Learn how Bloomberg Law’s essential news, expert analysis, and practice tools can help you stay ahead of privacy and data security developments.

What is the Virginia Consumer Data Protection Act (VCDPA)?

The VCDPA gives consumers the right to access their personal data and request that it be deleted by businesses. It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes. The law even contains some restrictions on the use of de-identified data, or data modified to no longer directly identify individuals from whom the data were derived. 

Entities conducting business in Virginia must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. Entities must control or process (i) the personal data of at least 100,000 consumers in a calendar year, or (ii) the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data. 

Privacy Law FAQs

Download this informative look at the consumer data privacy laws changing business practices in the U.S.

How does the VCDPA differ from the CCPA?

At just eight pages, the VCDPA is significantly more succinct than the California Consumer Privacy Act (CCPA). Analysis by Bloomberg Law suggests that the law’s brevity and clarity may result in the VCDPA becoming a model for future privacy legislation.  

The VCDPA clearly defines whose personal data is covered, describing consumers as Virginia residents “acting only in an individual or household context.” It further clarifies that consumers are not those acting in a “commercial or employment context.” Unlike California, where the B2B and employee exclusions have been the subject of several statutory amendments, Virginia has chosen not to leave those potential compliance hurdles up in the air.  

Additionally, businesses must satisfy one of the aforementioned thresholds to fall within the statute’s scope, and unlike California, the VCDPA makes no mention of a threshold based solely on annual gross revenue. Entities are not left to question whether the processing of data from a dozen or so consumers will subject them to the law. 

Virginia’s law has no significant recordkeeping requirements, aside from documenting data protection assessments. If a business already has in place a GDPR- or CCPA-compliant process for receiving and responding to data subject or consumer access requests, that process should be sufficient to handle requests from Virginia residents. 

Analysis: Virginia, Not California, Is Privacy’s Next Top Model

Read the full analysis of the similarities and differences between the Virginia and California data privacy legislation.

What are some potential points for clarification in the VCDPA?

1. Applicability

The VCDPA applies to persons who “conduct business” in the Commonwealth or produce products or services that are “targeted” to residents of Virginia. The statute, however, does not define what “targeted” means.

2. Right to Delete

The VCDPA permits consumers to request the deletion of personal data and was amended in April 2022 to include an exception for businesses that obtained such personal data from a source other than the consumer. However, it’s unclear whether the VCDPA’s general exceptions related to internal operations and other technical uses of data extend to consumer requests to delete personal data. It is also uncertain how Virginia will enforce consumer requests to delete personal data that has been incorporated into an automated decision-making algorithm—an issue that Bloomberg Law analysis has identified as relevant to several state consumer privacy laws.  

3. Access and Data Portability

The VCDPA grants consumers a right to obtain a copy of their personal data, and it specifically indicates that the copy be provided “in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance ….” But that provision also includes a modifier: “where the processing is carried out by automated means.” It’s not clear what, exactly, “automated means” modifies. 

4. Targeted Advertising

The VCDPA defines “personal data” as any information that is “linked or reasonably linkable to an identified or identifiable natural person,” but the term does not include information that could be linked to a consumer’s device. 

It’s questionable whether the legislature intended to permit the use of cookies and IDFAs (Identifiers for Advertisers). 

5. Children’s Data

While the VCDPA extends to both online and offline data collection practices, it specifies that if a consumer is a child, the controller must comply with the federal Children’s Online Privacy Protection Act (COPPA). But COPPA applies only to personal information collected from children online. Does that leave controllers off the hook if they collect personal data from children offline? 

Thumbnail of Five Subtle Ambiguities in Virginia’s Privacy Law

Analysis: Five Subtle Ambiguities in Virginia’s Privacy Law

Read the full article for more in-depth analysis of a handful of points from the VCDPA that experts say could use additional clarification. 

What are some limitations to the VCDPA?

The Virginia law has carve-outs for protected health information under the Health Insurance Portability and Accountability Act (HIPAA), as well as for personal data regulated by the Family Educational Rights and Privacy Act (FERPA). Those falling outside the scope of the law also include state agencies, nonprofit organizations, colleges and universities, and entities or data subject to Title V of the Gramm-Leach-Bliley Act (GLBA), which largely regulates banks and other financial institutions. 

Virginia residents aren’t able to directly sue over violations of the law. Enforcement is left in the hands of the state attorney general, who can seek damages of up to $7,500 per violation. 

A plus for business is the law’s 30-day cure period, which allows companies that receive letters alleging noncompliance to communicate with the attorney general’s office and remedy any potential violations before fines are imposed. 

Additionally, unlike the CCPA, the Virginia data privacy law explicitly allows businesses to offer different prices and levels of service to consumers enrolled in loyalty programs without having to comply with certain obligations. 

A Glossary of Terms for Decoding CCPA/CPRA

To help you navigate significant changes to the data privacy landscape, this glossary outlines key terms in the CCPA and CPRA, as defined by the texts of both laws. 

Legal Research and Practice Tools:

With evolving and emerging technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and practice tools will help you stay ahead of privacy and data security developments and protect your business. 

Access to this information requires a subscription to Bloomberg Law. Don’t have access? Request a demo. 

Virginia Consumer Data Protection Act Glossary

This comprehensive glossary is your tool to understanding key terms in Virginia Consumer Data Protection Act (VCDPA). 

CCPA/CPRA Comparison Tables

Compare the texts of the California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, and the subsequent California Privacy Rights Act (CPRA), which significantly amends the CCPA. 

In Focus: Biometrics

Find everything you need to know about laws and regulations related to biometric and facial recognition technology.