top of page

Virginia Consumer Data Protection Act: But why?

Updated: Jun 7, 2023

Data Protection Act

On March 2, 2021, the governor of Virginia signed a bill that states companies must be transparent about collecting user data with regards to geographic location and that they cannot sell this data to third parties without the consent of the individual.

Virginia Consumer Data Protection Act (VCDPA) will be taking effect on January 1, 2023. The second major user data privacy acts after California (CCPA).

Companies that collect or sell any customer data should consider taking steps now to determine whether they need to comply. In appraise compliance, organizations should review & audit internal policies, procedures, and agreements and update accordingly.

Virginia Consumer Data Protection Act (VaCDPA) has to do with disclosing what information is being collected, why it is being collected, how it will be used or sold, and whether users need to consent before data is shared.

The privacy act draws much from a proposed Washington Privacy Act that's meant to increase transparency around personal data collection while allowing consumers to control their digital footprint.

Much of the Virginia Consumer Data Protection Act also mirrors the California Consumer Privacy Act by focusing on facilitating individual rights over businesses that collect private information.

Will Your Organization be affected?

  1. VaCDPA applies to for-profit companies that conduct business in Virginia, or that produce products or services that are targeted towards Virginia residents and have at least 100,000 online users residing in VA.

  2. VaCDPA also applies to companies based outside of the state that derives greater than 50% of their gross revenue from selling data about Virginian consumers.

The act does not apply to nonprofits, any company that falls under the provisions of Gramm-Leach-Bliley Act or HIPAA, or to institutions of higher education.

VaCDPA prohibits the sale of personal data obtained from a database by a third party as it relates to employees, job applicants, and people involved with the contractor's business.

It is limited in scope to companies that have a physical business presence in Virginia. However, unlike CCPA which requires certain businesses to disclose what kind of information has been sold about customers if requested by them.

The Virginia Act for Consumer Rights has fewer requirements than the California Consumer Privacy Act (CCPA). Because it is narrower in scope, fewer companies will have to comply with this law than they would if they were subject to CCPA.

Data Covered under Act

Personal data” refers to any information that can be associated with a specific person or entity such as a business or company, for example. This includes information such as a name, ID number, address, or any other piece of information that could identify someone either directly or indirectly.

What “If” You don’t comply with (VacDPA) the Virginia Consumer Data Protection Act!

If a business doesn't get back to you about an issue it's facing within the 30 days, notice period from the Virginia attorney general, fines of up to $7,500 for each uncured violation, plus expenses, can be imposed. No private right of action whatsoever.

What You Need to Do?

How to Prepare for the Virginia Consumer Data Protection Act... An important aspect of conducting business within Virginia is staying abreast of new and upcoming legislation. So, here are a few important tips on how to prepare for this pivotal time in business.

Here is the list of action organizations that need to get checked:

  1. Create a data processing agreement with any companies that handle, or process personal data also ensure to update your current data-processing agreement to be compliant with the Virginia Consumer Data Protection Act.

  2. The immediate task you can implement is to update your website privacy policy to be compliant with (VaCDPA) Virginia Consumer Data Protection Act.

  3. Review what data your organization collects; for what purpose(s), to whom it is disclosed, if it’s “sold” and to whom. Consider putting in place procedures for encrypting sensitive or privileged data, as well as encrypting communication channels.

  4. In the wake of recent news regarding requests from authorities concerned with consumer data, product managers must have a written policy and procedure established to handle (DSAR) requests effectively.

  5. Perform a risk assessment and outline data protection procedures/ processes that are appropriate to the business, if required.

  6. Review cyber insurance policies and coverage liabilities to see whether new developments have introduced any new requirements or exclusions, for example under the (VacDPA or even CCPA).


While most businesses should already be performing a data inventory, the Virginia Consumer Data Protection Act requires companies to perform a more granular inventory, including documenting the purpose for which personal data is collected and processed.

Organizations will also need to update their external policies, such as their website privacy policy and terms of use, and internal procedures to ensure their employees are trained and following data protection law.

The Consumer's Data Protection Act requires that all businesses perform a privacy assessment check before carrying out their processing activities and put measures in place to uphold the consumer's right of appeal just in case there are any concerns.

bottom of page