Everything to Know about Virginia’s Consumer Data Protection Act (VCDPA)

Important Facts About VCDPA

The Virginia Consumer Data Protection Act (VCDPA), which the Virginia State Governor approved on March 2, 2021, is the state's main consumer data protection law. On January 1, 2023, VCDPA will go into effect, making it the second US state after California to have its own version of this regulation.

According to the VCDPA, consumers have the right to see their data and request that businesses delete their personal information. Additionally, when processing personal data for specialized marketing and sales operations, VCDPA requires organizations to conduct data protection assessments.

Under the VCDPA, data controllers must conduct data protection assessments for any processing of data involving sensitive personal data, targeted advertising, the sale of personal data, profiling, or any other activity that raises the risk of harm to data subjects.

Data Subject Rights (DSRs) must be fulfilled within 45 days. Virginians won't be able to bring cases directly against lawbreakers. Enforcement will be handled by the state attorney general, who has the authority to seek fines of up to $7,500 for each infraction.

The VCDPA states that prior to processing children's personal data, using sensitive personal data, or using personal data for purposes other than those for which it was initially collected, opt-in consent must be sought.