What is VCDPA?

VCDPA is a US state law that was passed in Virginia to protect the privacy rights of consumers residing in Virginia. It applies to businesses that conduct business in Virginia or produce products/services targeted to VA residents, and that collect or process the personal data of

  • over 100,000 consumers or
  • over 25,000 consumers if over 50% of revenue is from selling personal data.

VCDPA is enforced by the Virginia Attorney General.

Here are the key aspects of the Act:

  • VCDPA defines personal data as any information that identifies a specific individual, including names, email, photos, contact information. Sensitive personal data includes things like racial/ethnic origin, health info, sexual orientation, etc.
  • Key principles under VCDPA include purpose limitation, data security, non-discrimination against consumers exercising their rights, requiring consent for certain types of data, providing a privacy notice, and conducting impact assessments for high-risk data processing.
  • Rights granted to consumers include rights to access, correct, delete their data, opt-out of data sales/targeted advertising, and data portability. Businesses have 45 days to respond to consumer requests.
  • Penalties for violations include the Attorney General being able to sue for up to $7,500 per violation if problems are not fixed after receiving notice.

Check out how you can comply with VCDPA.