Understanding the Virginia Consumer Data Protection Act

Understanding the Virgini…

On March 2, 2021, Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“VCDPA”) into law, making Virginia the second state to pass comprehensive data privacy legislation. While this law does not take effect until January of 2023, let’s take a look at the basics of the act in order to prepare ourselves for the coming changes.

Who is restricted by the VCDPA?

The VCDPA applies to all entities that conduct business in the Commonwealth or those that produce products or services that are targeted to residents of the Commonwealth and that either:

(A) control or process the personal data of at least 100,000 consumers during a calendar year; or

(B) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data

The VCDPA specifically excludes the following entities:

(i) bodies, boards, and agencies of the Commonwealth of Virginia or any political subdivision of the Commonwealth;

(ii) any financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.);

(iii) any covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5);

(iv) nonprofit organizations;

(v) institutions of higher education.

Essentially, the VCDPA will apply to just about any large-scale business that regularly interacts with Virginia residents.

What is “personal data” under the VCDPA?

The Act defines personal data as, “any information that is linked or reasonably linkable to an identified or identifiable natural person. ‘Personal data’ does not include de-identified data or publicly available information.”

The Act specifically excludes several categories of data (all will not be listed), which include:

1. Protected health information under HIPAA;

2. Information regulated by the Fair Credit Reporting Act;

3. Information protected by the Drivers Privacy Protection Act;

In short, any information that is covered by another statute.

The Act includes a category called “sensitive data” which includes personal data regarding racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, and citizenship or immigration status. This category includes precise geolocation data, the processing of genetic or biometric data for the purpose of identifying a person, and personal data collected from a child. Sensitive data requires consent to be processed by an entity to which this Act applies.

What are my obligations if this law applies to me?

  • Limit the collection and processing of data to what is reasonably necessary and compatible with the purposes that have been disclosed to the consumer.
    • Obtain consent before collecting and processing data for a purpose not previously stated to the consumer.
  • Implement reasonable security practices for data processing data in order to protect and maintain the confidentiality of personal data.
  • You CANNOT process “sensitive data” without consent from the consumer.
  • Respond to consumer rights requests in 45 days (an additional 45 days may be granted if notification of the need for the extension is given to the consumer within the initial 45-day period).

What rights are granted to consumers?

Under the VCDPA consumers have the right to:

  • confirm whether or not a controller (defined under the act as a person that determines the purpose and means of processing personal data) is processing (defined as any operating performed on personal data, such as collection, use, storage, disclosures, analysis, ect.) the consumer's personal data and to access such personal data;
  • correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;
  • delete personal data provided by or obtained about the consumer;
  • obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
  • opt out of the processing of the personal data for purposes of:
    • (i) targeted advertising,
    • (ii) the sale of personal data, or
    • (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.


The Attorney General has the exclusive authority to enforce the Act by seeking injunction relief and/or monetary damages. Violations can result in fines up to the amount of $7,500.00 per violation. The Act does not create a private right of action for consumers.

If you have questions about this article, please contact Sean Mackin (smackin@setlifflaw.com) at 804-377-1272, or Steve Setliff (ssetliff@setlifflaw.com) at 904-377-1261.