How to Comply with State Data Privacy Laws in Virginia

Virginia was the second state in the country to enact comprehensive consumer data privacy legislation, and since the Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, it has become one of the most influential privacy frameworks in the United States. More than a dozen other states have since modeled their own privacy laws on Virginia's framework rather than California's stricter, more consumer-heavy CCPA, which makes understanding the VCDPA valuable not just for Virginia compliance but for building a privacy foundation that scales across multiple state laws simultaneously.

In 2026, the VCDPA is no longer a new law that businesses can approach cautiously — it is an active enforcement priority. Virginia Attorney General Jay Jones announced in February 2026 a specific intent to prioritize enforcement of the law's minor protection provisions, and the Virginia legislature has passed SB 338, a unanimous bill that would amend the VCDPA to ban the sale of precise geolocation data — adding Virginia to a growing coalition of states restricting location data commerce. Whether your business is based in Richmond, operates entirely online, or targets Virginia residents from out of state, this step-by-step guide covers everything you need to know to achieve and maintain compliance in 2026.

Step 1: Determine Whether the VCDPA Applies to Your Business

The first compliance step is confirming whether your organization is actually subject to the VCDPA. The law applies to any entity that conducts business in Virginia or produces products or services targeted to Virginia residents, and that meets either of the following thresholds during a calendar year:

  • Tier 1: Controls or processes the personal data of at least 100,000 consumers, or
  • Tier 2: Controls or processes the personal data of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal data

Notably, the VCDPA has no revenue threshold — unlike some state privacy laws, even a small business that crosses the consumer data volume thresholds is covered. The law applies to for-profit entities only, and several categories of organizations and data types are explicitly exempt, including state and local government entities, HIPAA-covered entities processing protected health information (though only for that specific data), FERPA-covered educational institutions, FCRA-regulated credit data, financial institutions covered by GLBA, and nonprofit organizations. The definition of "consumer" covers Virginia residents acting in personal or household contexts — it does not extend to employees or individuals acting in a commercial capacity.

Step 2: Understand the Controller-Processor Distinction

The VCDPA draws a clear line between two types of entities, borrowed directly from the European GDPR framework. A controller is any entity that, alone or jointly with others, determines the purposes and means of processing personal data. A processor is an entity that processes personal data on behalf of a controller. Most businesses that interact directly with customers or website visitors are controllers; cloud vendors, marketing platforms, payroll processors, and analytics tools you use to handle that data on your behalf are typically processors.

This distinction matters because controllers bear the primary compliance burden. Controllers must establish the lawful basis for processing, respond to consumer rights requests, conduct data protection assessments, and publish privacy notices. Processors must operate under a written contract with controllers that includes specific requirements: maintaining confidentiality of personal data, deleting or returning data at the end of the contract, providing information to demonstrate compliance upon request, and flowing down the same requirements to any subprocessors they engage.

Step 3: Conduct a Data Mapping and Inventory Exercise

You cannot comply with a law governing data you don't know you have. Before any other compliance work, organizations should conduct a thorough data mapping exercise to identify every category of personal data collected, where it comes from, where it flows, how long it's retained, and which third parties receive it. Under the VCDPA, "personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person — including names, email addresses, IP addresses, mobile advertising identifiers, hashed emails, and precise geolocation data.

Pay particular attention to sensitive data, which the VCDPA treats as a separate, higher-risk category requiring explicit opt-in consent before processing. Sensitive data under the VCDPA includes: racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation or gender identity, citizenship or immigration status, genetic data, biometric data processed for the purpose of uniquely identifying an individual, precise geolocation data, and personal data of known children. If your data map surfaces any of these categories, additional consent workflows are mandatory.

Step 4: Publish a Compliant Privacy Notice

The VCDPA requires controllers to provide consumers with a clear, reasonably accessible privacy notice that discloses at minimum: the categories of personal data processed; the purposes for processing; how consumers can exercise their VCDPA rights; the categories of personal data shared with third parties; the categories of those third parties; and an active email address or online mechanism for submitting rights requests.

If your business sells personal data, uses it for targeted advertising, or engages in certain types of profiling, the privacy notice must disclose these activities and explain the opt-out mechanism. Virginia does not currently require businesses to honor universal opt-out signals like Global Privacy Control (GPC) — unlike California, Colorado, and Connecticut — but legislative pressure in this direction has grown steadily.

Step 5: Build Consumer Rights Request Workflows

The VCDPA grants Virginia consumers five enforceable rights, and controllers must establish reliable, authenticated processes for responding to each:

1. Right to Access — Consumers may confirm whether a controller is processing their personal data and request a copy of it. Controllers must respond within 45 days, with one 45-day extension permitted if circumstances require it and the consumer is notified.

2. Right to Correction — Consumers may request correction of inaccurate personal data. Controllers must take reasonable steps to correct identified inaccuracies.

3. Right to Deletion — Consumers may request deletion of personal data they have provided or that has been collected about them.

4. Right to Data Portability — Consumers may request a copy of their personal data in a portable format that allows transmission to another controller, limited to twice per year.

5. Right to Opt Out — Consumers may opt out of the sale of their personal data, its use for targeted advertising, and certain types of profiling that produce legal or similarly significant effects. This opt-out must be made available through a clear and conspicuous mechanism in your privacy notice and on your website.

Controllers must respond to verified consumer rights requests within 45 days. They must authenticate requests through reasonable means — confirming that the person making the request is the consumer whose data is at issue — before acting on them. If a controller denies a request, the consumer must be informed of the reason and provided a method to appeal the decision within a reasonable time. Appeals must be responded to within 60 days, and if the appeal is denied, consumers must be informed of their right to submit a complaint to the Virginia Attorney General.

Step 6: Obtain Consent for Sensitive Data and Children's Data

Sensitive data cannot be processed without explicit opt-in consent from the consumer. This requires a clear affirmative act — not pre-checked boxes, not continued browsing — signifying informed, unambiguous agreement to the specific processing described. Effective January 1, 2025, children's data protections were significantly strengthened: any controller offering online services, products, or features directed to known children must conduct data protection assessments, and effective January 1, 2026, controllers operating social media platforms must verify whether users are minors under 16, limit their usage to one hour per day per platform, and disable features associated with addictive design patterns. The Virginia AG has specifically announced enforcement of these minor protection provisions as a 2026 priority.

Step 7: Execute Data Processing Agreements with All Processors

Every third-party vendor your business uses to handle Virginia consumers' personal data — email service providers, analytics platforms, CRM systems, payroll processors — must be operating under a written data processing agreement (DPA) that meets the VCDPA's contractual requirements. The DPA must specify that the processor: processes data only on documented instructions from the controller; maintains confidentiality of personal data; deletes or returns all data when the agreement ends; makes compliance information available upon the controller's request; cooperates with or arranges for assessments; and ensures any subprocessors are bound by equivalent requirements. Existing vendor contracts signed before the VCDPA took effect frequently lack these provisions and should be reviewed and updated accordingly.

Step 8: Conduct and Document Data Protection Assessments

Controllers must complete data protection assessments (DPAs) before undertaking any high-risk processing activity, including:

  • Processing sensitive data
  • Selling personal data
  • Processing for targeted advertising
  • Processing for profiling that produces legal or significant effects on consumers
  • Processing children's data (online services directed to known children)

A data protection assessment must identify and weigh the direct and indirect benefits of the processing activity against the potential risks to consumers. The Virginia AG can demand these assessments during an investigation, so they must be thorough and documented rather than perfunctory. If your business is already required to conduct data protection impact assessments under GDPR or similar laws, the VCDPA explicitly allows a single assessment to satisfy multiple laws' requirements, provided it covers comparable processing operations.

Step 9: Implement Data Security Measures

The VCDPA requires controllers and processors to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of personal data they handle. The law doesn't prescribe specific technical standards, but "reasonable" is interpreted against industry norms — organizations processing sensitive data or large volumes of consumer records are expected to implement correspondingly stronger controls. At minimum, reasonable security typically includes encryption of stored personal data, access controls limiting data access to authorized personnel, audit logging, and documented incident response procedures covering detection, containment, and breach notification.

Enforcement: Penalties, the Cure Period, and What to Expect in 2026

The VCDPA is enforced exclusively by the Virginia Attorney General — there is no private right of action, meaning individual consumers cannot sue businesses directly for violations. Before initiating enforcement, the AG must provide written notice and allow 30 days to cure the alleged violation. This cure period is permanent with no sunset provision — a more business-friendly stance than Colorado (whose cure period expired January 1, 2025) or Connecticut (which eliminated its cure period). If a violation is not cured, civil penalties of up to $7,500 per violation plus attorney fees apply, with a cap of $2.5 million per investigation, and the AG can also seek injunctive relief. In February 2026, AG Jones explicitly announced enforcement would ramp up — particularly around minor protection provisions — signaling that the window for treating VCDPA compliance as a low-priority obligation is closing.

2026 VCDPA Updates to Monitor

The legislative landscape around the VCDPA continues to evolve, and several changes demand attention. <cite index="2-1">The Virginia legislature passed SB 338 unanimously, which would amend the VCDPA to prohibit controllers from selling or offering to sell precise geolocation data</cite> — if signed, this would add a significant new restriction affecting advertising technology, data broker activity, and any service that monetizes location. The minor protection provisions that took effect January 1, 2026, including screen time limits and a ban on addictive design features for users under 16 on social media platforms, are actively being enforced. Businesses should also monitor the ongoing national movement toward requiring Global Privacy Control support as an opt-out mechanism, since Virginia's current exemption may not remain permanent as legislative sessions continue.

Frequently Asked Questions

Does the VCDPA apply to businesses outside Virginia? Yes. <cite index="5-1">The VCDPA applies to entities that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth of Virginia</cite> — regardless of where the business is headquartered. A California-based e-commerce company that markets to and collects data from Virginia residents is fully subject to the law if it meets the data processing thresholds.

Are nonprofits exempt from the VCDPA? Yes. Nonprofit organizations are explicitly exempt from the VCDPA. Other exempt entities include state and local government bodies, HIPAA-covered entities processing protected health data, FERPA-covered educational institutions, and financial institutions regulated by the Gramm-Leach-Bliley Act.

What is the difference between selling data and sharing it under the VCDPA? The VCDPA defines "sale of personal data" as an exchange for monetary or other valuable consideration, which is intentionally broad and can include data shared in exchange for services or advertising arrangements rather than direct cash payment. Data shared with processors under a service contract, or disclosed for legal compliance purposes, generally does not constitute a "sale."

What is the fastest way to start VCDPA compliance? Begin with a data mapping exercise to understand what personal data you collect and process, then audit your privacy notice against the required disclosures, build a consumer rights request intake and response process, audit all vendor contracts for DPA compliance, and conduct data protection assessments on any high-risk processing activities. Working through these steps systematically also builds the documentation the AG's office would request in an investigation.

Final Thoughts

The Virginia Consumer Data Protection Act is one of the most replicable privacy frameworks in the United States, and businesses that achieve genuine VCDPA compliance in 2026 will find themselves well-positioned for compliance with the dozen-plus other state laws modeled on the same framework. The permanent 30-day cure period makes Virginia's enforcement environment more forgiving than California's or Colorado's, but the AG's February 2026 enforcement announcement and the ramp-up around minor protection provisions signal that the window for treating this as a low-risk obligation is closing. For the full statutory text and the most current version of the law including 2026 amendments, the official reference is the Code of Virginia, Title 59.1, Chapter 53, and the Virginia AG's consumer protection office maintains current VCDPA guidance and complaint processes for businesses and consumers alike.

Previous Post Next Post

Contact Form