Skip to content
VCDPA - Virginia Consumer Data Protection Act
What are requirements of the VCDPA?

What are the requirements of the VCDPA?

Virginia consumers have a host of data subject rights and consent rights businesses need to fulfill. This section will go over these rights in more detail.

Data Subject Requests

Data subject requests (DSRs) are requests that users can make to exercise control over their personal information businesses collect on them.

Under VCDPA, Virginians are granted these specific rights.

Right to Know and Access Consumers are allowed to request to know if a company is collecting and processing their personal information, and access what personal data that company has on them.
Right to Correct Consumers are allowed to request that a company correct inaccurate information about them.
Right to Delete Consumers are allowed to request the deletion of all of the personal data a company has on them. This also extends to the personal data held by data processors, third-party vendors, or subcontractors.
Right to Data Portability Consumers are allowed to request a copy of the data a company holds on them in a machine-readable format.
Right to Appeal Consumers are allowed to challenge a company’s refusal to process a data subject request.

Virginia’s privacy law mandates that businesses respond to consumers' requests within 45 days. They can also extend for an additional 45 days if needed to process requests.

Consent Requirements

Virginia’s privacy law also grants specific consent rights for consumers to exercise control over how their personal data is processed by businesses. Businesses must enable consumers to submit their preferences. Here are the opt-out and opt-in consent rights Virginian residents have:

Targeted Advertising Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests.
Sale of Personal Data The exchange of personal data for monetary consideration by the controller to a third party
Profiling Any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
The Processing of Sensitive Data
  • Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
  • The personal data collected from a known child (under 13 years old).
  • Precise geolocation data.

Businesses need to communicate how users can exercise their consent options through Privacy Notices on their websites.


The Attorney General of Virginia has sole authority over enforcing VCDPA. That means Virginians do not have a private right of action and cannot directly sue a company for privacy violations.

If the AG sends your business a notice of a privacy violation, your business has a 30-day cure period to correct infractions. Otherwise, your business could face a civil penalty of up to $7500 per violation.