Virginia is for Lovers of Privacy

Firm Publication

On March 2, 2021, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), making Virginia the second state to enact a broad-based consumer privacy statute. The VCDPA became effective on January 1, 2023, and was subsequently amended by SB 361 (Amendment) which became effective on January 1, 2025.

Threshold Requirements and Exemptions

The VCDPA applies to any persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia residents and, in a calendar year, does either of the following:

  • Controls or processes the personal data of at least 100,000 Virginia residents.
  • Controls or processes the personal data of at least 25,000 Virginia residents and derives more than 50% of its gross revenue from the sale of personal data.

The VCDPA includes a broad suite of entity-level and data-level exemptions. Entity-level exemptions include nonprofit organizations, Gramm–Leach–Bliley Act (GLBA) financial institutions (both at an entity and data level), institutions of higher education, and HIPAA-covered entities and business associates. Data-level exemptions include personal health information (PHI), as well as data controlled or processed in compliance with the Family Education Rights and Privacy Act, the Farm Credit Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act and the Children’s Online Privacy Protection Rule (COPPA).

“Personal data” refers to any information that is linked or reasonably linkable to a Virginia resident. The VCDPA does not cover personal data relating to employment or contracted services.

Consumer Rights

The VCDPA provides consumers with certain rights with respect to their personal data held by “Controllers” – defined as the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data. Consumers under the VCDPA have the right to request the following:

  • The right to confirm whether or not a controller is processing the consumer’s personal data and accessing personal data processed by a controller.
  • The right to correct inaccuracies in the consumer’s personal data.
  • The right to delete personal data provided by, or obtained about, the consumer.
  • The right to obtain a copy of personal data in a portable, readily usable format that allows the consumer to easily transmit the data to another controller.
  • The right to opt out of the sale of personal data, processing of personal data for targeted advertising, and processing of personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  • The right to appeal a Controller’s decision to decline a consumer’s rights request.

Controllers must respond to consumer requests within 45 days (with a single 45-day extension permitted if reasonably necessary).

Privacy Notice

Controllers under the VCDPA must provide consumers with a “privacy notice” that is reasonably accessible, clear, and meaningful. The notice must include all of the following:

  • The categories of personal data processed.
  • The purpose(s) for such processing.
  • The way in which a consumer can exercise their rights and appeal a decision made by a Controller with regard to the consumer’s request.
  • The categories of personal data that the Controller shares with third parties.
  • The categories of third parties to whom the Controller shares personal data.
  • One or more secure and reliable means for consumers to submit a request to exercise their consumer rights.

Treatment of Sensitive Data

The VCDPA requires opt-in consent prior to the processing of “sensitive data,” which is defined to include:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual.
  • Precise geolocation data.
  • Personal data collected from a known child, which is defined as a consumer younger than 13 years old.

Children’s Data and Amendment

If the consumer is a known child, a Controller must process such data in accordance with COPPA. In addition, Controllers cannot process: (1) a known child’s data for the sale of personal data; (2) personal data of children for targeted advertising; and (3) personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning the child without parental consent. Controllers are not allowed to use children’s data for any purpose other than the purpose that was originally disclosed when the data was collected. They also cannot keep the data longer than necessary or use it for reasons that are not needed to provide the online service, product, or feature. Additionally, collecting a known child’s precise geolocation data is only allowed if it is necessary for the service and only for as long as needed. While collecting this data, controllers must give the child a clear signal that their location is being tracked.

The Amendment places new responsibilities on “operators” and third-party data processors to safeguard the personal data of children, referred to as “covered users” which means “a user of a website, online service, or online or mobile application, or portion thereof, who is (i) actually known by the operator of a website, online service, or online or mobile application to be a minor or (ii) a user of a website, online service, or online or mobile application directed to minors.” The Amendment defines “operators” as any person that operates or provides a website, online service, or mobile application and that conducts any of the following:

  • Collects or maintains, either directly or through another person, personal data from or about the users of such website, online service, or online or mobile application.
  • Integrates with another website, online service, or online or mobile application and directly collects personal data from the users of such other website, online service, or online or mobile application.
  • Allows another person to collect personal data directly from users of such website, online service, or online or mobile application.
  • Allows users of such website, online service, or online or mobile application to publicly disclose personal data.

Among other obligations, the Amendment:

  • Prohibits an operator from processing, or allowing a third party to process, the personal data of a covered user collected through the use of a website, online service, or online or mobile application unless:
    • The covered user is 12 years of age or younger and processing is permitted under COPPA; or
    • The covered user is 13 years of age or older and processing is strictly necessary or the operator has obtained informed consent from the covered user.
      • Processing is “strictly necessary” for providing requested services or products, internal business operations (excluding marketing and providing products or services to third parties), fixing technical errors, ensuring security, legal compliance or defense, and protecting the vital interests of individuals.
      • “Informed consent” must be separate from other transactions, avoid dark patterns and manipulative design, allow granular choices per type of data processing, clearly state the nature of the processing, and include a simple option to refuse. Once given, consent can be revoked at any time. Operators cannot request consent again for one year if it has been declined or revoked.
    • Within 14 days of determining that a user is a covered user, the operator must do both of the following:
      • Dispose of, destroy or delete all personal data of the covered user that it maintains, unless processing the personal data is: (1) permitted under COPPA; (2) strictly necessary; or (3) pursuant to informed consent.
      • Notify any third parties to whom it disclosed the personal data and any third parties it allowed to process the personal data that the user is a covered user.
    • Prohibits an operator from disclosing the personal data of a covered user to a third party, or allowing the processing of the personal data of a covered user by a third party, without a written agreement, outlining:
      • The limited purposes for processing.
      • Obligations to delete or return data.
      • Requirements for compliance audits.
      • Advance notice before data is shared further.

Data Protection Assessments

The VCDPA requires Controllers to conduct data protection assessments (DPAs) for the processing of personal data for targeted advertising or profiling, the processing of sensitive data, the sale of personal data, or any other processing activities that present a “heightened risk of harm to a consumer.” The VCDPA’s DPA requirements apply to processing activities created or generated after July 1, 2024, and are not retroactive.

Under the Amendment, Controllers that provide “online services, products, or features”—which include almost any online offering except certain telecommunications, broadband services, and physical product delivery—are required to conduct DPAs for any service, product, or feature directed to children. These assessments must explain the purpose of the online offering, identify the types of children’s personal data being processed, and describe the reasons for processing that data.

Enforcement

The Office of the Virginia Attorney General holds exclusive enforcement authority and there is no private right of action for consumers. The Attorney General may seek injunctive relief, statutory damages of up to $7,500 per violation, and reasonable investigative costs and attorneys’ fees. Prior to initiating any action, the Attorney General shall provide a Controller or Processor with 30 days’ prior written notice identifying the specific violations.

Our team will continue to monitor the implementation and enforcement of the Virginia Consumer Data Protection Act. If you have questions about complying with the VCDPA, please contact the authors.

Related Professionals
Related Services
Firm Publication

On March 2, 2021, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), making Virginia the second state to enact a broad-based consumer privacy statute. The VCDPA became effective on January 1, 2023, and was subsequently amended by SB 361 (Amendment) which became effective on January 1, 2025.

Threshold Requirements and Exemptions

The VCDPA applies to any persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia residents and, in a calendar year, does either of the following:

  • Controls or processes the personal data of at least 100,000 Virginia residents.
  • Controls or processes the personal data of at least 25,000 Virginia residents and derives more than 50% of its gross revenue from the sale of personal data.

The VCDPA includes a broad suite of entity-level and data-level exemptions. Entity-level exemptions include nonprofit organizations, Gramm–Leach–Bliley Act (GLBA) financial institutions (both at an entity and data level), institutions of higher education, and HIPAA-covered entities and business associates. Data-level exemptions include personal health information (PHI), as well as data controlled or processed in compliance with the Family Education Rights and Privacy Act, the Farm Credit Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act and the Children’s Online Privacy Protection Rule (COPPA).

“Personal data” refers to any information that is linked or reasonably linkable to a Virginia resident. The VCDPA does not cover personal data relating to employment or contracted services.

Consumer Rights

The VCDPA provides consumers with certain rights with respect to their personal data held by “Controllers” – defined as the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data. Consumers under the VCDPA have the right to request the following:

  • The right to confirm whether or not a controller is processing the consumer’s personal data and accessing personal data processed by a controller.
  • The right to correct inaccuracies in the consumer’s personal data.
  • The right to delete personal data provided by, or obtained about, the consumer.
  • The right to obtain a copy of personal data in a portable, readily usable format that allows the consumer to easily transmit the data to another controller.
  • The right to opt out of the sale of personal data, processing of personal data for targeted advertising, and processing of personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  • The right to appeal a Controller’s decision to decline a consumer’s rights request.

Controllers must respond to consumer requests within 45 days (with a single 45-day extension permitted if reasonably necessary).

Privacy Notice

Controllers under the VCDPA must provide consumers with a “privacy notice” that is reasonably accessible, clear, and meaningful. The notice must include all of the following:

  • The categories of personal data processed.
  • The purpose(s) for such processing.
  • The way in which a consumer can exercise their rights and appeal a decision made by a Controller with regard to the consumer’s request.
  • The categories of personal data that the Controller shares with third parties.
  • The categories of third parties to whom the Controller shares personal data.
  • One or more secure and reliable means for consumers to submit a request to exercise their consumer rights.

Treatment of Sensitive Data

The VCDPA requires opt-in consent prior to the processing of “sensitive data,” which is defined to include:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual.
  • Precise geolocation data.
  • Personal data collected from a known child, which is defined as a consumer younger than 13 years old.

Children’s Data and Amendment

If the consumer is a known child, a Controller must process such data in accordance with COPPA. In addition, Controllers cannot process: (1) a known child’s data for the sale of personal data; (2) personal data of children for targeted advertising; and (3) personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning the child without parental consent. Controllers are not allowed to use children’s data for any purpose other than the purpose that was originally disclosed when the data was collected. They also cannot keep the data longer than necessary or use it for reasons that are not needed to provide the online service, product, or feature. Additionally, collecting a known child’s precise geolocation data is only allowed if it is necessary for the service and only for as long as needed. While collecting this data, controllers must give the child a clear signal that their location is being tracked.

The Amendment places new responsibilities on “operators” and third-party data processors to safeguard the personal data of children, referred to as “covered users” which means “a user of a website, online service, or online or mobile application, or portion thereof, who is (i) actually known by the operator of a website, online service, or online or mobile application to be a minor or (ii) a user of a website, online service, or online or mobile application directed to minors.” The Amendment defines “operators” as any person that operates or provides a website, online service, or mobile application and that conducts any of the following:

  • Collects or maintains, either directly or through another person, personal data from or about the users of such website, online service, or online or mobile application.
  • Integrates with another website, online service, or online or mobile application and directly collects personal data from the users of such other website, online service, or online or mobile application.
  • Allows another person to collect personal data directly from users of such website, online service, or online or mobile application.
  • Allows users of such website, online service, or online or mobile application to publicly disclose personal data.

Among other obligations, the Amendment:

  • Prohibits an operator from processing, or allowing a third party to process, the personal data of a covered user collected through the use of a website, online service, or online or mobile application unless:
    • The covered user is 12 years of age or younger and processing is permitted under COPPA; or
    • The covered user is 13 years of age or older and processing is strictly necessary or the operator has obtained informed consent from the covered user.
      • Processing is “strictly necessary” for providing requested services or products, internal business operations (excluding marketing and providing products or services to third parties), fixing technical errors, ensuring security, legal compliance or defense, and protecting the vital interests of individuals.
      • “Informed consent” must be separate from other transactions, avoid dark patterns and manipulative design, allow granular choices per type of data processing, clearly state the nature of the processing, and include a simple option to refuse. Once given, consent can be revoked at any time. Operators cannot request consent again for one year if it has been declined or revoked.
    • Within 14 days of determining that a user is a covered user, the operator must do both of the following:
      • Dispose of, destroy or delete all personal data of the covered user that it maintains, unless processing the personal data is: (1) permitted under COPPA; (2) strictly necessary; or (3) pursuant to informed consent.
      • Notify any third parties to whom it disclosed the personal data and any third parties it allowed to process the personal data that the user is a covered user.
    • Prohibits an operator from disclosing the personal data of a covered user to a third party, or allowing the processing of the personal data of a covered user by a third party, without a written agreement, outlining:
      • The limited purposes for processing.
      • Obligations to delete or return data.
      • Requirements for compliance audits.
      • Advance notice before data is shared further.

Data Protection Assessments

The VCDPA requires Controllers to conduct data protection assessments (DPAs) for the processing of personal data for targeted advertising or profiling, the processing of sensitive data, the sale of personal data, or any other processing activities that present a “heightened risk of harm to a consumer.” The VCDPA’s DPA requirements apply to processing activities created or generated after July 1, 2024, and are not retroactive.

Under the Amendment, Controllers that provide “online services, products, or features”—which include almost any online offering except certain telecommunications, broadband services, and physical product delivery—are required to conduct DPAs for any service, product, or feature directed to children. These assessments must explain the purpose of the online offering, identify the types of children’s personal data being processed, and describe the reasons for processing that data.

Enforcement

The Office of the Virginia Attorney General holds exclusive enforcement authority and there is no private right of action for consumers. The Attorney General may seek injunctive relief, statutory damages of up to $7,500 per violation, and reasonable investigative costs and attorneys’ fees. Prior to initiating any action, the Attorney General shall provide a Controller or Processor with 30 days’ prior written notice identifying the specific violations.

Our team will continue to monitor the implementation and enforcement of the Virginia Consumer Data Protection Act. If you have questions about complying with the VCDPA, please contact the authors.

In Case You Missed It: