The governor of Virginia signs the nation’s second comprehensive data protection law

On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act[1] (“VCDPA”) in law. With the enactment of the VCDPA, Virginia is the second state in the country to implement a comprehensive law to protect consumer privacy after the California Consumer Protection Act[2] (“CCPA”). While the VCDPA is similar to the CCPA in many ways, the VCDPA has a different scope and different obligations than the CCPA. Accordingly, affected companies must conduct a separate scope analysis and establish different business rules in order to comply with the VCDPA if they are subject to it.


The VCDPA applies to individuals who do business in Virginia or manufacture products or services for residents of Virginia who either (i) control or process personal data of at least 100,000 consumers during a calendar year, or (ii) control or process personal data of at least 25,000 Consumers and come from over 50% of gross sales from the sale of personal data. The VCDPA applies to information that can be linked or appropriately linked to an identified or identifiable person acting in an individual or household context. The law also provides special protection for sensitive Information, including personal information, including certain demographic, biometric, or location information, as well as information about a known child.

However, the VCDPA does not apply to:

  • Financial institutions[3] or dates[4] subject to federal law on Gramm-Leach-Bliley;
  • certain activities[5] regulated by the Fair Credit Reporting Act;
  • Information about people acting in a commercial or professional context;
  • unidentified data; or
  • publicly available information.

The VCDPA imposes different obligations depending on whether the company is a company Regulator (the person who determines the purpose and means of processing personal data) or a processor (the company that processes personal data on behalf of the controller). Therefore, a company needs to analyze whether it acts as a controller or a processor when processing personal data.

Consumer rights

The VCDPA provides consumers with a number of rights in relation to their personal data, some of which are similar to those available under the CCPA. According to the VCDPA, consumers have the right:

  • confirm whether a controller is processing personal data or not;
  • access their personal information;
  • correct inaccuracies in your personal data taking into account the nature of the personal data and the purposes of the processing of the personal data;
  • delete personal data provided or received by you;
  • receive a portable copy of the personal data that you previously provided to the controller; and
  • Disable the processing of personal data for:
    • targeted advertising,
    • the sale of personal data or
    • Profiling

Controller obligations

The VCDPA requires the controllers, among other things:

  • Limiting the collection of personal data to what is appropriate, relevant and reasonable for the purposes for which this personal data is processed, as communicated to the consumer;
  • do not process personal data for purposes that are not reasonably necessary or compatible with disclosed purposes, unless the controller obtains the consent of the consumer;
  • Establishment, implementation and maintenance of data security practices;
  • do not process personal data in violation of discrimination laws;
  • do not process sensitive personal data without consent; and
  • Clearly disclose whether personal data is being sold to third parties or whether personal data is being processed for targeted advertising and how a consumer can exercise his or her opt-out rights.

The controllers are required to provide consumers with information containing certain information about the personal data processed by the controller.

The VCDPA requires a Data protection rating Identifying and weighing the benefits that may arise, directly and indirectly, from the processing for the controller, the consumer, other stakeholders and the public, against the potential risks to the consumer’s rights associated with such processing, which can be mitigated by protective measures can be used by the controller to reduce such risks. The use of unidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data is being processed, will be included in this assessment by the controller.[6]The data controllers must carry out and document data protection assessments when they carry out the following activities:

  • the processing of personal data for the purpose of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for the purpose of profiling, if this profiling presents a reasonably foreseeable risk of certain types of harm to consumers;
  • the processing of sensitive data; and
  • Processing activities with personal data that pose an increased risk for consumers.

Processor duties

A processor must follow the instructions of a controller and support the controller in the following tasks:

  • Responding to consumer rights;
  • Compliance with obligations to report violations; and
  • Provision of information that enables the data controller to carry out and document data protection assessments.

There are also requirements for contracts between controllers and processors.


The Virginia Attorney General has exclusive power to enforce the VCDPA and may seek civil penalties of up to $ 7,500 for any violation of the VCDPA, in addition to injunctive relief.

The VCDPA does not contain a private right of action.

Effective Date

The VCDPA comes into force on January 1, 2023.

[1] Go. Code Ann. §§ 59.1-571 ff.

[2] Cal. Civ. Code §§ 1798.100 ff.

[3] 15 USC § 6809.3.

[4] 15 USC § 6809.4.

[5] e.g. “Collecting, managing, disclosing, selling, communicating or using personal information that has an impact on the creditworthiness, creditworthiness, creditworthiness, character, general reputation, personal characteristics or lifestyle of a consumer of a consumer, or fitters, who provides information for use in a consumer report and by a user of a consumer report, but only to the extent that such activities are regulated and approved by the Federal Act on Fair Credit Reporting (15 USC §§ 1681 ff.). . “Va. Code Ann. § 59.1-572.

[6] Va. Code Ann. Section 59.1-576 (B).

Comments are closed.