Iubenda logo
Start generating


Table of Contents

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021, and Virginia became the second state in the United States to enact a comprehensive data privacy law after California. 

The VCDPA goes into effect on January 1, 2023, and will affect organizations that do business in Virginia or provide products/services to people in Virginia. In other words, your organization does not need to be located in Virginia to be affected by the VCDPA.

🚀 You can learn more about the VCDPA in this article, including whether or not you’ll be affected and how to become compliant.

What is the Virginia Consumer Data Protection Act (VCDPA)?

The VCDPA grants users the right to access their data and requests that organizations remove their personal data. It also compels businesses to complete data security assessments when processing personal data for, among others, targeted advertising and sales.

Under the VCDPA, personal data means any information that is linked or reasonably linkable to an identified or identifiable person.

Therefore it’s important to note that IP addresses can be considered personal data as long as they are “linked or reasonably linkable to an identified or identifiable natural person”.

Will my Organization be affected by the VCDPA?

To fall under the scope of the Act, organizations doing business in Virginia must meet one of two levels, and both thresholds address a minimum number of affected users. 

Organizations that control or process:
  1. at least 100,000 users’ personal data in a calendar year, or 
  2. at least 25,000 users’ personal data while generating more than 50% of gross revenue from the sale of that data

will be affected by the VCDP. Keep reading to find out how your business can become compliant. 👇

📌 Your Privacy Policy under the VCDPA

Your organization must provide users with a reasonably accessible, clear, and meaningful privacy notice. Here is the full checklist of information that you must include in your privacy policy. 

Privacy Policy Checklist ✅

Include the categories of personal data processed by your organization.

Include your organization’s purpose for processing personal data.

Inform your users of how they may exercise their rights (see below), including how they can appeal a decision on their requests. You must provide one or more methods for users to submit a request.

Include the categories of personal data that your organization shares with third parties if any.

Include the categories of third parties, if any, with whom your organization shares personal data.

Residents of Virginia have the following rights under Virginia’s VCDPA:

  • the right to know if their personal data is being collected or processed;
  • to gain access to their personal data collected or processed by the controller;
  • to obtain a portable and usable copy of their personal data kept by a controller;
  • to not face discrimination because they exercised their rights; 
  • to have inaccurate personal data corrected; 
  • to have personal data deleted; and 
  • to opt out of having their personal data collected or processed for the purposes of targeted advertising, sale, and profiling.

Please be informed that under the VCDPA, there are no indications that opt-out links enabling users to opt-out of the processing of personal data for certain purposes are required.

The provisions of the VCDPA, in fact, treat users’ opt-out rights in the same manner as any other users’ rights granted under the Act. See how to respond to users’ request below 👇

📌 How to respond to users’ requests

Your business needs to comply with users’ requests as follows:

  • you need to comply with the request within 45 days. The response period may be extended one time by 45 additional days when reasonably necessary, as long as you inform your user of any extension within the initial 45-day response period, together with the reason for the extension;
  • if you decline to take action regarding your users’ request, inform the user of such rejection within 45 days, indicating the relevant justification and instructions on how to appeal the decision;
  • if you are unable to authenticate a request using commercially reasonable efforts, you are not required to comply with the request, and you may ask for additional information, which is reasonably necessary to authenticate the user and its request.

📌 What happens if I don’t comply with the VCDPA?

As the VCDPA does not establish a dedicated privacy Agency, the Attorney General has exclusive authority to enforce its provisions.

Prior to initiating any action, the Attorney General will provide a 30 days written notice identifying the specific provisions that have been or are being violated:

👉 If within the 30-day period, you cure the noticed violation and provide the Attorney General with a written statement that the alleged violations have been cured and that no further violations shall occur, no action will be initiated against your business.

👉 If your business continues to violate the provisions of the Act following the cure period or a written statement made to the Attorney General, the Attorney General may initiate an action and seek an injunction to restrain any violations and civil penalties of up to $7,500 for each violation.

What you need to do to prepare for the VCDPA

The United States gains another data privacy regulation through Virginia’s Data Protection Act (VCDPA).

If your organization is already in compliance with the GDPR and California’s CCPA/CPRA, the chances are you won’t have to do much to bring your website into compliance with Virginia’s VCDPA.

The VCDPA takes effect on January 1, 2023

If your organization falls under the scope of the VCDPA, you should begin looking into compliance solutions that are well-trusted and drafted by lawyers.

So, if you haven’t got one already, start to set up all that you need today, and we’ll inform you when the clauses are available!

Start generating