Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA) became law on March 2, 2021 and will go into force on January 1, 2023.

Part of a larger trend towards state privacy laws in the US, the VCDPA created new requirements for organizations that process data for consumers in Virginia. It also established certain data rights for Virginia residents.

The VCDPA applies to:

  • Businesses based in Virginia AND
  • Businesses that market goods or services to Virginia residents

Any organization that meets these criteria must also:

  • Control or process personal data for 100,000 or more Virginia residents per year OR
  • Process data for 25,000 or more Virginia residents while also earning at least 50% of gross revenue from selling personal data

The VCDPA gave Virginia residents the following rights in regards to their personal data.

Right to access - Virginia residents may request access to any personal data a company holds on them.

Right to correct - If they discover an error, consumers may request a correction of their personal data.

Right to delete - Consumers have the right to delete their personal data. This right applies whether the company received data from the consumer directly or it came from a third-party, such as a data broker.

Right to data portability - Virginia residents may move their data between services. In order to support this right, businesses must, upon request, give an individual their data in an easily transmittable format.

Right to opt out - Consumers may opt-out of personal data processing for targeted marketing purposes.

Right to appeal - Organizations under the VCDPA must create an appeals process that VA residents can use in the event their data request is denied or otherwise unfulfilled.

Learn more about the VCDPA with our complete guide 'VCDPA: Preparing for 2023 enforcement'.