Iubenda logo
Start generating


Table of Contents

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021, and Virginia became the second state in the United States to enact a comprehensive data privacy law after California. 

The VCDPA went into effect on January 1, 2023, and affects organizations that do business in Virginia or provide products/services to people in Virginia. In other words, your organization does not need to be located in Virginia to be affected by the VCDPA.

🚀 Learn more about the VCDPA in this article, including whether or not you’ll be affected and how to become compliant.

Short on time? Jump to what you need to do to prepare for the VCDPA →

What is the Virginia Consumer Data Protection Act (VCDPA)?

The VCDPA grants users the right to access their data and requests that organizations remove their personal data. It also compels businesses to complete data security assessments when processing personal data for, among others, targeted advertising and sales.

Under the VCDPA, personal data means any information that is linked or reasonably linkable to an identified or identifiable person.

Therefore it’s important to note that IP addresses can be considered personal data as long as they are “linked or reasonably linkable to an identified or identifiable natural person”.

Will my Organization be affected by the VCDPA?

To fall under the scope of the Act, organizations doing business in Virginia must meet one of two levels, and both thresholds address a minimum number of affected users. 

Organizations that control or process:
  1. at least 100,000 users’ personal data in a calendar year, or 
  2. at least 25,000 users’ personal data while generating more than 50% of gross revenue from the sale of that data

will be affected by the VCDP. Keep reading to find out how your business can become compliant. 👇

📌 Your Privacy Policy under the VCDPA

Your organization must provide users with a reasonably accessible, clear, and meaningful privacy notice. Here is the full checklist of information that you must include in your privacy policy. 

Privacy Policy Checklist ✅

Include the categories of personal data processed by your organization.

Include your organization’s purpose for processing personal data.

Inform your users of how they may exercise their rights (see below), including how they can appeal a decision on their requests. You must provide one or more methods for users to submit a request.

Include the categories of personal data that your organization shares with third parties if any.

Include the categories of third parties, if any, with whom your organization shares personal data.

Did you know?

iubenda’s Privacy and Cookie Policy Generator allows you to add all United States disclosures in one simple click!

Simply click “Enable disclosures for Users residing in the United States” to activate the new US-specific clauses.

Keep reading to learn more about the upcoming changes in Virginia, or find out how iubenda can help you comply →

📌 Users’ Rights

Residents of Virginia have the following rights under Virginia’s VCDPA:

  • the right to know if their personal data is being collected or processed;
  • to gain access to their personal data collected or processed by the controller;
  • to obtain a portable and usable copy of their personal data kept by a controller;
  • to not face discrimination because they exercised their rights; 
  • to have inaccurate personal data corrected; 
  • to have personal data deleted; and 
  • to opt out of having their personal data collected or processed for the purposes of targeted advertising, sale, and profiling.

📌 Opt out Links

Please be informed that under the VCDPA, there are no indications that opt out links enabling users to opt out of the processing of personal data for certain purposes are required

The provisions of the VCDPA, in fact, treat users’ opt out rights in the same manner as any other users’ rights granted under the Act. See how to respond to users’ requests below 👇

📌 How to respond to users’ requests

Your business needs to comply with users’ requests as follows:

  • you need to comply with the request within 45 days. The response period may be extended one time by 45 additional days when reasonably necessary, as long as you inform your user of any extension within the initial 45-day response period, together with the reason for the extension;
  • if you decline to take action regarding your users’ request, inform the user of such rejection within 45 days, indicating the relevant justification and instructions on how to appeal the decision;
  • if you are unable to authenticate a request using commercially reasonable efforts, you are not required to comply with the request, and you may ask for additional information, which is reasonably necessary to authenticate the user and its request.

📌 What happens if I don’t comply with the VCDPA?

As the VCDPA does not establish a dedicated privacy Agency, the Attorney General has exclusive authority to enforce its provisions.

Prior to initiating any action, the Attorney General will provide a 30 days written notice identifying the specific provisions that have been or are being violated:

👉 If within the 30-day period, you cure the noticed violation and provide the Attorney General with a written statement that the alleged violations have been cured and that no further violations shall occur, no action will be initiated against your business.

👉 If your business continues to violate the provisions of the Act following the cure period or a written statement made to the Attorney General, the Attorney General may initiate an action and seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation.

What you need to do to prepare for the VCDPA

The United States gains another data privacy regulation through Virginia’s Data Protection Act (VCDPA).

If your organization is already in compliance with the GDPR and California’s CCPA/CPRA, the chances are you won’t have to do much to bring your website into compliance with Virginia’s VCDPA. However, it’s important you consider the changing landscape of privacy laws across the US and think about ways in which you can meet even the strictest of privacy standards. 

How can iubenda help you Comply with the VCDPA

iubenda has created the tools to help you simultaneously comply with the various legislations across the United States!

📌 Privacy and Cookie Policy generator → 
Our Privacy and Cookie Policy generator provides the option to add “service” clauses to comply with each US legislation.

Specific service clauses related to the VCDPA include:
  1. Profiling of Virginia consumers;
  2. Collection of personal data about Virginia consumers below the age of 13; and
  3. We do not collect personal data about Virginia consumers below the age of 13.

To enable the new US-specific clauses, simply click “Enable disclosures for Users Residing in the United States” from within the Privacy and Cookie Policy Generator. This will allow you to meet the strictest of US standards

📌 Privacy Controls and Cookie Solution → 
Additionally, our Privacy Controls and Cookie Solution allows you to meet the remaining requirements for your Privacy Notice. 

Within the configurator, simply: 

  1. select US legislation within the Generator; and
  2. activate the automated configuration to synchronize with your privacy notice and privacy control choices.
The VCDPA wen into effect on January 1, 2023

If your organization falls under the scope of the VCDPA, you should have begun looking into compliance solutions that are well-trusted and drafted by lawyers.

So, if you haven’t got one already, get started today.

Comply Now