Virginia
Virginia Consumer Data Protection Act (VCDPA)
| Passed | January 1, 2023 |
| Effective Date | January 1, 2023 |
| Who it applies to |
Entities that (1) control/process data of 100,000+ Virginia residents; or (2) control/process data of 25,000+ and derive 50% revenue from selling data. Exempt entities include nonprofits, higher education institutions, government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). |
| Penalties | Up to $7,500 per violation |
What’s notable about it:
Virginia’s VCDPA inspired every US comprehensive state privacy law other than California’s. It was the first mover after California, and interestingly, other states mostly built on the VCDPA, so it’s no longer one of the tougher privacy laws in the US. But Virginia is not done legislating on privacy—a genetic privacy law took effect in the state this July.
It requires that brands enable consumers to opt in if they are processing or collecting sensitive data, like location or race. However, Virginia's law does not include a private right of action—so Virginia residents can’t take a company to court over data privacy violations (which California does).