Virginia Privacy Law Attorneys

VCDPA Compliance, Data Breach Response & Consumer Privacy in Virginia

Home / States / Virginia

Virginia Privacy Law Overview

Virginia was an early mover in comprehensive privacy regulation. The Virginia Consumer Data Protection Act took effect on January 1, 2023 and provides GDPR-style consumer rights while remaining more business-friendly than California's regime. Its structure — controller/processor roles, opt-in for sensitive data, and assessments for risky processing — became the model for most states that followed.

The Virginia Consumer Data Protection Act (VCDPA)

The VCDPA gives Virginians the rights to access, correct, delete and port their personal data and to opt out of targeted advertising, the sale of data, and certain profiling. It was the second comprehensive U.S. state privacy law and established the business-friendly template that many later state laws copied, including opt-in consent for sensitive data and data-protection assessments for higher-risk processing.

VCDPA: Quick Overview

  • Effective Date: January 1, 2023
  • Citation: Va. Code Ann. tit. 59.1, ch. 53
  • Enforced By: Virginia Attorney General
  • Maximum Penalty: Up to $7,500 per violation
  • Private Right of Action: No (enforcement by the state only)
  • Right to Cure: 30 days (permanent)

Who Must Comply

The VCDPA applies to businesses that meet Virginia's applicability thresholds:

  • Controls or processes the personal data of at least 100,000 Virginia consumers in a year, or
  • Controls or processes data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data

What makes Virginia different: The VCDPA's controller-friendly framework — permanent cure period and opt-in only for sensitive data — became the blueprint copied by Indiana, Kentucky, Tennessee and others.

Consumer Rights Under the VCDPA

Virginia residents can exercise the following rights over their personal data:

  • Right to access / confirm what data is held
  • Right to correct inaccurate data
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of targeted advertising
  • Right to opt out of the sale of personal data
  • Right to opt out of profiling for significant decisions

Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).

Data Breach Notification in Virginia

Virginia's breach-notification law requires notice to affected residents and to the Attorney General without unreasonable delay following discovery of a breach of personal information.

  • Deadline to notify residents: Without unreasonable delay after discovery
  • Attorney General notice: Notify the Virginia Attorney General for breaches affecting Virginia residents
  • Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)

Federal Privacy Laws That Apply in Virginia

Even where Virginia law is silent, residents and businesses are covered by federal privacy statutes:

  • HIPAA — health information held by providers, plans and their vendors
  • GLBA — privacy and safeguards rules for financial institutions
  • FERPA — student education records
  • FCRA — consumer reporting agencies and background screening
  • COPPA — online collection of data from children under 13
  • FTC Act §5 — unfair or deceptive privacy and data-security practices

Virginia Privacy Law FAQ

What rights do Virginia residents have under the VCDPA?
Virginians can confirm whether a business processes their data and access it, correct inaccuracies, delete personal data, obtain a portable copy, and opt out of targeted advertising, the sale of their data, and profiling that produces legal or similarly significant effects. Sensitive data requires opt-in consent.
Can I sue a company under the VCDPA?
No. The VCDPA has no private right of action. It is enforced exclusively by the Virginia Attorney General, who may seek civil penalties of up to $7,500 per violation after a 30-day cure period.

How a Virginia Privacy Attorney Can Help

For Businesses

  • Build and audit a privacy compliance program
  • Draft privacy policies, notices and vendor contracts
  • Respond to consumer rights requests
  • Manage data-breach response and notification
  • Defend regulatory investigations and enforcement

For Consumers

  • Enforce your privacy rights against non-compliant businesses
  • Pursue or join data-breach litigation
  • File complaints with the Virginia Attorney General
  • Seek damages for identity theft and fraud
  • Stop unlawful data sales and unwanted marketing

Need a Virginia Privacy Attorney?

Whether you are a business working toward compliance or a Virginia resident whose privacy has been violated, our network of Virginia-licensed attorneys can help.

Find a Virginia Privacy Attorney

Other State Privacy Laws

California

CCPA/CPRA – strongest consumer privacy law in the U.S.

Maryland

MODPA – comprehensive privacy law

Colorado

CPA – comprehensive privacy law

Texas

TDPSA – comprehensive privacy law

Florida

FDBR – comprehensive privacy law

Connecticut

CTDPA – comprehensive privacy law