Who does the VCDPA apply to?

The VCDPA applies to entities conducting business in Virginia or targeting Virginia residents that control or process personal data of 100,000+ consumers, or 25,000+ consumers while deriving 50%+ of gross revenue from data sales.

Does the VCDPA have a private right of action?

No. The VCDPA does not provide consumers with a private right of action. Only the Virginia Attorney General can bring enforcement actions.

What is the cure period under the VCDPA?

The VCDPA provides a 30-day cure period. When the AG identifies a potential violation, the business has 30 days to cure the violation before enforcement action can be taken.

Does the VCDPA require honoring Global Privacy Control?

No. Unlike California and Colorado, the VCDPA does not currently require businesses to honor universal opt-out mechanisms like GPC.

Virginia Privacy Law

Virginia Consumer Data Protection Act

Effective: January 1, 2023Active

Overview

The Virginia Consumer Data Protection Act (VCDPA) was the second comprehensive state privacy law in the United States, signed into law on March 2, 2021, and effective January 1, 2023. The VCDPA established a framework that many subsequent state laws have followed, balancing consumer privacy rights with a business-friendly approach to regulation. The VCDPA provides Virginia residents with rights to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of the sale of personal data, targeted advertising, and profiling. Unlike California's CCPA/CPRA, the VCDPA does not include a private right of action, leaving enforcement exclusively to the Virginia Attorney General. The law applies to entities that conduct business in Virginia or target Virginia residents and that control or process personal data of at least 100,000 consumers, or control or process personal data of at least 25,000 consumers while deriving over 50% of gross revenue from the sale of personal data. The VCDPA provides a 30-day cure period for violations. Penalties can reach $7,500 per violation.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

100,000+

Virginia consumers' data processed

25,000+ consumers

AND 50%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

New social media restrictions for minors took effect January 1, 2026 — platforms must limit screen time and disable addictive features for users under 18
Virginia AG Jay Jones announced in February 2026 intent to fully enforce minor protections, beginning with 30-day cure notices to non-compliant platforms
VCDPA 30-day cure period remains in effect (no sunset provision) — one of the more business-friendly enforcement approaches
Virginia AG continues to build enforcement capacity with focus on children's data protection
No universal opt-out requirement yet, but businesses may voluntarily honor GPC as a best practice

Enforcement Details

Enforced By

Virginia Attorney General

Penalty Per Violation

$7,500

Cure Period

30 days

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

No Universal Opt-Out Requirement

The VCDPA does not currently require businesses to recognize universal opt-out mechanisms such as GPC. However, businesses may voluntarily honor such signals as a best practice.

Minor / Child Protections

The VCDPA requires opt-in consent before processing personal data of known children under 13, consistent with COPPA. For consumers aged 13-17, businesses must obtain consent before processing data for targeted advertising or sale. Effective January 1, 2026, Virginia enacted social media restrictions for minors requiring platforms to limit screen time and disable addictive design features for users under 18. The Virginia AG has indicated these provisions will be actively enforced.

Compliance Checklist

1Determine whether your organization meets the VCDPA applicability thresholds based on Virginia consumer data processing
2Update privacy notices to include required disclosures about data categories, processing purposes, and consumer rights
3Implement processes to respond to consumer rights requests within the 45-day response period
4Obtain opt-in consent before processing sensitive personal data
5Conduct data protection assessments for targeted advertising, profiling, and sale of personal data activities
6Establish an appeals process for denied consumer requests and provide the AG contact for complaints

Virginia Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.