PrivacyLawMap
Back to Blog
Law UpdatesMarch 29, 202612 min read

Virginia Consumer Data Protection Act (VCDPA): Complete 2026 Compliance Guide

Share:

What Is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act (VCDPA) was the second comprehensive state privacy law in the United States, signed into law on March 2, 2021, and effective since January 1, 2023. Virginia’s framework has become the model for more than a dozen subsequent state privacy laws, making the VCDPA one of the most influential pieces of data privacy legislation in the country.

Unlike California’s CCPA/CPRA, which leans consumer-friendly, the VCDPA strikes a balance between protecting consumer rights and maintaining a business-friendly regulatory environment — notably through its permanent 30-day cure period and the absence of a private right of action.

Use our Privacy Law Calculator to check whether the VCDPA applies to your organization.

Who Does the VCDPA Apply To?

The VCDPA applies to entities that conduct business in Virginia or that produce products or services targeted to Virginia residents, and that meet either of the following thresholds (OR logic):

  • Tier 1: Control or process personal data of at least 100,000 consumers during a calendar year; OR
  • Tier 2: Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The law applies to all entity types — for-profit and nonprofit alike. However, it exempts government entities, higher education institutions, entities subject to GLBA and HIPAA (at the entity level), and certain insurance-related entities.

Notably, the VCDPA counts “consumers” as Virginia residents acting in an individual or household context — it excludes individuals acting in a commercial or employment context.

Consumer Rights Under the VCDPA

Virginia residents have the following rights under the VCDPA:

  • Right to access: Confirm whether a controller is processing their personal data and access that data.
  • Right to correction: Correct inaccuracies in their personal data.
  • Right to deletion: Delete personal data provided by or obtained about the consumer.
  • Right to data portability: Obtain a copy of their personal data in a portable, readily usable format.
  • Right to opt out of sale: Opt out of the sale of their personal data.
  • Right to opt out of targeted advertising: Opt out of the processing of personal data for targeted advertising.
  • Right to opt out of profiling: Opt out of profiling that produces legal or similarly significant effects.
  • Right to appeal: Appeal a controller’s refusal to take action on a request, with the right to contact the AG if the appeal is denied.

Controllers must respond to consumer requests within 45 days, with a possible 45-day extension for complex requests. Requests must be fulfilled free of charge, up to twice per year.

Sensitive Data and Consent Requirements

The VCDPA requires opt-in consent before processing sensitive personal data. Sensitive data includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Biometric data processed for identification purposes
  • Personal data of known children under 13 (COPPA-aligned)

For consumers aged 13–17, the VCDPA requires consent before processing data for targeted advertising or the sale of personal data.

Enforcement and Penalties

The VCDPA is enforced exclusively by the Virginia Attorney General. There is no private right of action, meaning individual consumers cannot sue businesses for VCDPA violations.

Key enforcement details:

  • 30-day cure period: The AG must provide written notice of a violation and allow 30 days to cure. This cure period is permanent — it has no sunset provision, unlike states such as Colorado (expired Jan 1, 2025) and Connecticut (eliminated).
  • Penalties: Up to $7,500 per violation, plus reasonable attorney fees and costs.
  • Injunctive relief: The AG can seek to restrain ongoing violations.

Virginia AG Jay Jones announced in February 2026 an intent to prioritize enforcement of minor protection provisions, beginning with 30-day cure notices to non-compliant social media platforms.

GPC and Universal Opt-Out

Unlike California, Colorado, Connecticut, and several other states, the VCDPA does not currently require businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC). However, businesses may voluntarily honor GPC signals as a best practice, and doing so can help with compliance in multi-state operations.

Check our GPC Compliance Checker to see which states require GPC recognition for your business.

2026 Updates: What’s New for the VCDPA

  • Minor protections enforcement (January 1, 2026): New social media restrictions for minors took effect, requiring platforms to limit screen time and disable addictive design features for users under 18. Virginia AG announced active enforcement.
  • SB 338 — Geolocation data ban (pending governor’s action): Virginia legislature passed SB 338 unanimously, which would amend the VCDPA to prohibit controllers from selling or offering to sell precise geolocation data. Governor Spanberger has until April 13, 2026, to sign. If signed, Virginia will join Maryland and Oregon in banning geolocation data sales.
  • Business-friendly cure period remains: The 30-day cure period has no sunset provision, making Virginia one of the more forgiving enforcement environments for compliant businesses.
  • No GPC mandate yet: Virginia still does not require businesses to honor universal opt-out signals, though several other states with VCDPA-model laws have added this requirement.

How the VCDPA Compares to Other State Privacy Laws

  • Most-copied framework: The VCDPA model has been adopted (with variations) by Connecticut, Colorado, Indiana, Iowa, Tennessee, and more than 10 other states.
  • Permanent cure period: Unlike Colorado (expired), Connecticut (eliminated), Oregon (eliminated), and Montana (eliminated), Virginia’s cure period is permanent.
  • No GPC requirement: Virginia, Utah, Iowa, Indiana, and Tennessee do not require GPC — most newer laws do.
  • Middle-range penalties: $7,500/violation is below Colorado ($20,000) and Maryland ($10K/$25K) but standard among VCDPA-model states.
  • No private right of action: Like most state privacy laws (except California under limited circumstances), the VCDPA relies solely on AG enforcement.

Use our State Comparison Tool to see how Virginia compares across all 20+ state privacy laws.

7-Step VCDPA Compliance Plan

  1. Determine applicability — Assess whether your organization meets the VCDPA thresholds (100K consumers OR 25K consumers + 50% revenue from data sales). Use the Privacy Law Calculator.
  2. Update privacy notices — Include all required disclosures: categories of personal data processed, purposes of processing, consumer rights, how to exercise those rights, categories of third parties you share data with, and whether you sell data or use it for targeted advertising.
  3. Build consumer rights workflows — Create intake, verification, and fulfillment processes for all eight consumer rights. Configure 45-day response timelines. Establish an appeals process with AG complaint contact info.
  4. Obtain sensitive data consent — Implement opt-in consent mechanisms for all sensitive data categories. Review processing of children’s data (under 13) and teen data (13–17) for advertising and sale purposes.
  5. Conduct data protection assessments — Perform assessments for targeted advertising, sale of personal data, processing of sensitive data, and profiling activities that carry significant risk. Document and retain these assessments.
  6. Review processor contracts — Ensure all data processor agreements meet VCDPA requirements: clear processing instructions, duty of confidentiality, subprocessor requirements, audit rights, and deletion/return obligations upon contract end.
  7. Monitor SB 338 and future amendments — If Governor Spanberger signs SB 338, update your data practices to prohibit the sale of precise geolocation data. Audit third-party vendor relationships for geolocation data flows.

For a detailed walkthrough, visit our Virginia Compliance Checklist.

Frequently Asked Questions

Does the VCDPA apply to nonprofits?

Yes. Unlike some state privacy laws that exempt nonprofits, the VCDPA applies to all entity types, including nonprofits, if they meet the applicability thresholds.

Does the VCDPA cover employee data?

No. The VCDPA defines “consumer” as a Virginia resident acting in an individual or household context. It excludes individuals acting in a commercial or employment context.

How does the VCDPA interact with HIPAA?

The VCDPA exempts HIPAA-covered entities and business associates at the entity level. This is a broader exemption than some other state privacy laws that only exempt specific data types rather than the entire entity.

Is there a revenue threshold for the VCDPA?

No. Unlike the Utah UCPA (which requires $25M+ revenue), the VCDPA has no revenue threshold. Applicability is based solely on consumer data processing volume and revenue derived from data sales.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.