Virginia Consumer Data Protection Act (VCDPA)

Everything you need to know about Virginia’s comprehensive data privacy law

In 2021, Virginia became the second state after California to enact comprehensive consumer privacy legislation. With several key differences between the two laws, the VCDPA offers an alternative model for other states planning to enact their own data and privacy protections.

Bloomberg Law delivers expert analysis on the issues shaping state, federal, and international data and privacy laws. From risk mitigation and compliance challenges to legislative initiatives affecting how companies do business, rely on Bloomberg Law for the actionable guidance you need to make informed decisions.

Authoritative analysis on privacy and data security law

With evolving and emerging technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and practice tools give you deeper insights that help you stay ahead of privacy and data security developments and protect your business.


The VCDPA vs. CCPA: Comparing State Privacy Laws

Download this chart for an at-a-glance comparison of the elements of each law – including key similarities and differences.


Checklist: Is Your Business Subject to the VCDPA?

Use this questionnaire to determine whether the VCDPA applies to your organization.


2024 Guide: Data Privacy and Cybersecurity Risk

This report analyzes the most pressing data privacy and cybersecurity challenges facing in-house counsel, from AI regulations to child online privacy laws. 

Compliance for data controllers

Who is a ‘controller’?

A controller is the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.

What are the main obligations and requirements of a controller?

Under the VCDPA, controllers are obligated to:

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Establish one or more secure and reliable means for consumers to submit a request to exercise their consumer rights.
  • Disclose any sale of personal data to third parties or any processing of personal data for targeted advertising and provide a means for consumers to exercise their right to opt out of such processing.
  • Provide consumers with a reasonably accessible, clear, and meaningful privacy notice.

Are there special obligations related to de-identified personal data?

Yes. A controller in possession of de-identified data must:

  1. Take reasonable measures to ensure that the data cannot be associated with a natural person;
  2. Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
  3. Contractually obligate any recipients of the de-identified data to comply with all provisions of the VCDPA.

Complying with consumer rights requests

To facilitate the exercise of consumer rights, the VCDPA requires a controller to:

  • establish a process for consumers to submit authenticated requests to exercise their consumer rights;
  • comply with consumer requests to exercise their rights;
  • respond to consumer requests within 45 days of receipt;
  • respond free of charge, up to twice annually per consumer;
  • consider appeal of the decision;
  • establish a process for a consumer to appeal the refusal to take action.

When can a controller refuse to comply with an authenticated consumer rights request?

A controller (or processor) need not comply with an authenticated consumer rights request if all the following are true:

  1. The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
  2. The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
  3. The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted.

When must a controller perform a data protection assessment?

A controller must conduct and document a data protection assessment in each of the following circumstances:

  1. when processing personal data for purposes of targeted advertising;
  2. when selling personal data;
  3. when processing personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;
  4. when processing sensitive data; and
  5. for any processing of personal data that presents a heightened risk of harm to consumers.

What must be included in a data protection assessment?

A data protection assessment must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.

Are data protection assessments for internal use only?

No. The Virginia attorney general may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general. The attorney general may evaluate the data protection assessment for compliance with the responsibilities set forth in Va. Code § 59.1-578.

What is a controller prohibited from doing?

The VCDPA prohibits a controller from:

  • Processing personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes, unless the controller obtains the consumer’s consent;
  • Processing sensitive data concerning a consumer without obtaining the consumer’s consent;
  • Discriminating against a consumer for exercising any consumer right;
  • Attempting to waive or limit consumer rights in any way.

Compliance for data processors

Who is a ‘processor’?

A processor is a natural or legal entity that processes personal data on behalf of a controller.

What are the main obligations and requirements of a processor?

A processor must adhere to the instructions of a controller and must assist the controller in meeting its obligations under the VCDPA.

Data processing contracts

A contract between a controller and a processor governs the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

What specific terms must be included in a processor’s contract?

The contract must require the processor to:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
  2. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
  3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in the VCDPA.
  4. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor.
  5. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

Authoritative analysis on consumer data privacy laws from Bloomberg Law

From live events to in-depth reports, discover singular thought leadership on consumer data privacy laws across the U.S. and around the world. Our expert network of analysts are always on the case, so you can make yours.

Save valuable time when you trust Bloomberg Law to tackle complex data privacy requirements with ease. Request a demo to learn more.

Recommended for you

See Bloomberg Law in action

From live events to in-depth reports, discover singular thought leadership from Bloomberg Law. Our network of expert analysts is always on the case – so you can make yours. Request a demo to see it for yourself.