What is the Virginia Consumer Data Protection Act?

Gov. Ralph Northam, a Democrat from Virginia, signed the Virginia Consumer Data Protection Act (VCDPA) into law on March 2, 2021.

VCDPA applies to entities who conduct business in Virginia or create goods or services marketed to Virginians that either:

1. Have annual control over or process at least 100,000 users’ personal data per calendar year.


2. Control or process at least 25 000 users’ personal data, and derive at least 50% of its total revenue from the selling of personal data.

What are the requirements for Virginia Consumer Data Protection Act?

Rights of Consumers under the VCDPA

There are six main rights that consumers have under the VCDPA:

Right to access. Consumers have the right “to confirm whether or not a controller is processing the consumer’s personal data and to access such personal data.” 

Right to correct. Consumers have the right to correct inaccuracies in their personal data, concerning the nature of the personal data and the purposes of the processing of the consumer’s personal data.

Right to delete. Consumers have the right to delete personal data that they provided or that the entity obtained about them.

Right to data portability. Consumers have the right to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.


Limits on collection. Like the CCPA and the EU General Data Protection Regulation before it, the VCDPA includes a provision limiting the collection of data to that which is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” 

Limits on use. Once the data has been collected, the statute mandates a business “not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.” Furthermore, the act imposes limits on processing sensitive personal information such that doing so is prohibited absent consumer consent.

Technical safeguards. In addition to imposing obligations on the business’s processing activities, the VCDPA, like the CCPA and GDPR, also mandates a business “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”

Data protection assessments. The CDPA also requires controllers to conduct “data protection assessments” that evaluate the risks associated with processing activities. While the act specifies the types of activities that must be assessed, it fails to indicate how often they must occur and how long they must be kept.

Data processing agreements. Like the GDPR’s Article 28, the VCDPA requires that processing activities undertaken by a processor on behalf of a controller be governed by a data processing agreement. Such agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” The provision provides a set of enumerated terms that must be included in the agreement.   

Privacy policy. The VCDPA contains a provision requiring controllers to provide consumers with a privacy policy. The policy must state:

  • The categories of personal data processed by the controller.
  • The purpose for processing personal data.
  • How consumers may exercise their consumer rights and appeal a controller’s decision regarding the consumer’s request.
  • The categories of personal data that the controller shares with third parties, if any.
  • The categories of third parties, if any, with whom the controller shares personal data.

The CDPA contains no limitations regarding the timing of disclosures or any specific format they must adhere to, unlike previous state proposals.

Why should you be compliant?

The Virginia Attorney General will enforce the VCDPA. Fines for non-compliance with Virginia’s VCDPA can go up to $7,500 per infringement, although non-compliant organizations will first get a 30-day notice of violation with a chance to make corrections and become compliant.

How to achieve compliance?

To comply with Virginia Consumer Data Protection Act, Centraleyes’ risk management and compliance platform offers streamlined, automated data collection and analysis, as well as prioritized remediation advice and real-time personalized scoring. Centraleyes has mapped Virginia Consumer Data Protection Act to its extensive control inventory, enabling the company to exchange data across various systems throughout their networks, saving time and money and allowing for more reliable data.

The Centraleyes platform will provide organizations with a comprehensive view of their cyber risk and compliance, as well as a ready-to-use report for audits

Read more:

Does your company need to be compliant with VCDPA?

Related Content

Personal Information Privacy Law (PIPL) of China

What is PIPL? Personal Information Privacy Law (PIPL) is the new Chinese data privacy law that…

Nevada Privacy Law

What is the Nevada privacy law? The Nevada Revised Statutes on Security and Privacy of Personal…


What is POPIA? South Africa’s new data privacy framework is the Protection Of Personal Information Act.…
Skip to content