This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image


Virginia Consumer Data Protection Act (VCDPA)

Passed January 1, 2023
Effective Date January 1, 2023
Who it applies to

Entities that (1) control/process data of 100,000+ Virginia residents; or (2) control/process data of 25,000+ and derive 50% revenue from selling data. Exempt entities include nonprofits, higher education institutions, government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).

Penalties Up to $7,500 per violation

What’s notable about it:

Virginia’s VCDPA inspired every US comprehensive state privacy law other than California’s. It was the first mover after California, and interestingly, other states mostly built on the VCDPA, so it’s no longer one of the tougher privacy laws in the US. But Virginia is not done legislating on privacy—a genetic privacy law took effect in the state this July.

It requires that brands enable consumers to opt in if they are processing or collecting sensitive data, like location or race. However, Virginia's law does not include a private right of action—so Virginia residents can’t take a company to court over data privacy violations (which California does).

The Strict Spectrum

Less Strict