VCDPA Amendments: What You Need to Know

Table of Contents

Are you keeping up with the new VCDPA amendments? If you run a business, it’s important to know about these changes. This article will talk about the Virginia Consumer Data Protection Act (VCDPA) and its recent updates. We will explain what these changes mean for businesses and their consumers.

You’ll learn about protecting personal data and privacy. This is key to earning your consumers’ trust. Get ready to learn a lot about data privacy laws in Virginia in a simple and clear way.

Let’s dive right in.

Key Takeaways

The VCDPA, focuses on data protection, especially for VCDPA sensitive data. It clarifies how businesses should manage personal data, aligning with the original rules without significant changes.

Future amendments to the VCDPA are likely driven by evolving technology, the need for clearer legal language, and changing concerns about data privacy.

Understanding and adhering to the VCDPA is crucial for corporate compliance, not only to avoid fines but also to build trust with consumers and ensure data subject rights are respected, and Captain Compliance is here to help with that.

What is the VCDPA (Virginia Consumer Data Protection Act)?

What is the VCDPA (Virginia Consumer Data Protection Act).jpg

What is the VCDPA (Virginia Consumer Data Protection Act).jpg

The VCDPA is a law in Virginia that helps protect people’s personal data. It was signed into law on March 2, 2021. This law is important because it gives people in Virginia the right to see their data and ask businesses to delete their personal information. It’s especially focused on data used for targeted advertising and sales.

On April 11, 2022, Virginia made some changes to this law. These amendments were made to help businesses and consumers collectively. The law went into effect on January 1, 2023.

VCDPA applies to businesses working in Virginia or selling products here. It’s specifically for businesses that control or process the personal data of at least 100,000 consumers, or if over half their money comes from selling people’s personal info and they’ve got at least 25,000 consumers’ data.

The new Virginia law mandates businesses to be transparent in their data protection practices, clearly stating how they use personal information, along with all other necessary privacy policy requirements.

The consumers have the right under the VCDPA to look at their data, fix mistakes, delete personal data, and say no to using their data for targeted ads and marketing. Businesses also have to keep the data secure and get consumers’ OK before working with sensitive information.

The Virginia Attorney General’s office keeps tabs on businesses to make sure they follow the rules. If they find someone is not doing what they should, they’ll send them a notice saying they have 30 days to correct it, known as the right to cure.

If a business doesn’t fix things in 30 days, it can get fined. The fine can be up to $7,500 per violation of the VCDPA. So, if a business fails to acknowledge them and continues to be non-compliant, those fines add up quickly.

This law is a big deal for both consumers and businesses. For consumers, it means more control over their personal data. For businesses, it’s about building trust by handling data responsibly. It’s important for businesses to understand and follow this law to avoid fines and to keep their consumers’ trust.

VCDPA Amendments

VCDPA Amendments.png

VCDPA Amendments.png

In 2022, Virginia made some big changes to the Virginia Consumer Data Protection Act (VCDPA). These changes, known as amendments, are important for businesses to understand. They make the law clearer and help businesses know exactly what they need to do.

Let’s look at these changes in detail!

Right to Delete Exception (HB 381)

There’s this new amendment, HB 381, that kind of switches things up on how you can delete your personal info from businesses. It used to be if the consumer asked a business to delete their data, the business had to do it (except if in contradiction with another law), no questions asked. Now, there’s an exception.

If the business didn’t get your info straight from you but rather from another source, they can keep just enough data to make sure they don’t use your personal information again in the future. This change is especially important for businesses that work with third-party data.

Elimination of the Consumer Privacy Fund (HB 714/SB 534)

Another big change comes from HB 714 and SB 534. These bills got rid of the Consumer Privacy Fund. Before, money from fines for breaking the VCDPA rules went into this fund. Now, this money goes to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. This change affects where the money from fines is used.

Nonprofit Redefinition (SB 534)

SB 534 also brought a change in what counts as a ‘nonprofit’ under the VCDPA. Now, political organizations that don’t make a profit are included as nonprofits. This means they don’t have to follow the VCDPA rules, as nonprofits are exempt along with a variety of other businesses.

This change is important for political and certain tax-exempt organizations, as it clarifies their status as a nonprofit under the VCDPA.

Do The VCDPA Amendments Change How Businesses Handle Data?

The recent changes to Virginia’s data privacy law might seem like a big deal, but honestly, they don’t really shake things up too much for the average business. The amendments are more about clarifying parts of the law than totally changing it.

The main parts of the law stay the same. Businesses must exercise diligence in handling personal information, a key aspect of data protection and compliance services.

You need to tell consumers what data you’re collecting and why, and people can ask to access their data or have it deleted. And if you’re working with sensitive data like religious or sexual data, you must get clear permission and protect it more thoroughly with DPIAs.

The new amendments, like the right to delete exceptions (HB 381) and changes to the nonprofit definition (SB 534), are more about clarifying things. For example, the delete exception helps businesses that get data from other places, not straight from consumers. It means they can keep just enough data to make sure they don’t use it again. But they can’t use this data for anything else.

So what should businesses do? If you’re already compliant, consider enhancing your strategy with outsourced compliance services for continued adherence. Be transparent about how you use data, respect people’s rights over their info, and keep it secure.

Are There Any Anticipated Amendments for the VCDPA?

When it comes to laws like the Virginia Consumer Data Protection Act (VCDPA), changes are always possible. Similar to updating a computer program, as global data protection norms evolve, laws like the VCDPA and CCPA may require updates. So, are there more changes coming to the VCDPA? It’s likely.

First, let’s think about technology. It’s always changing, right? New ways of handling data, new kinds of data, and new tech gadgets mean that laws like the VCDPA need to keep up. So, as technology changes, we can expect some updates to the law to make sure it still works well.

Also, there’s always room for making the law clearer. Sometimes, after a law starts, people find parts that are confusing or don’t work as expected. When this happens, the government might add more details or make changes to make things clearer. It helps businesses and consumers understand the law better.

Lastly, there are always new concerns about data and privacy. People care a lot about their personal information. As these concerns grow and change, the law might need to change, too. This means we can expect more amendments to the VCDPA in the future.

While we don’t know exactly what changes might come, it’s a good bet that the VCDPA will see more amendments, or the US could make a national law like the ADPPA. These changes will likely be influenced by new technology, the need for clearer rules, and changing concerns about data privacy.


Now that we’ve gone over this new data privacy law and the changes, you may be wondering, what’s my next move for the business? Well, that’s where Captain Compliance steps in. We specialize in these kinds of regulations and can assist you in understanding and following them correctly.

Whether it’s updating privacy policies or training employees, we can help get your business on track. Proper data handling, a crucial part of compliance training, goes beyond legal obedience; it’s fundamental to earning consumer trust.

Do you feel your business needs guidance to ensure you’re compliant and trusted? Get in touch with Captain Compliance. Well, guide you through this new landscape and make sure you’re protected legally and have your consumers’ confidence.


What Are the Main Requirements of VCDPA for Businesses?

The VCDPA requires businesses to be transparent about how they use personal data. They must inform consumers about the data they collect and its purpose. Businesses also need to secure consent for sensitive data and allow consumers to access, correct, or delete their data.

Confused about VCDPA requirements? We have resources to help you understand them better!

Does VCDPA Apply to Small Businesses?

VCDPA applies to businesses that either handle the personal data of 100,000 Virginia residents or earn over half of their revenue from selling personal data and handling data of 25,000 consumers. Small businesses below these thresholds may not be subject to VCDPA.

Running a small business and wondering about VCDPA? Get in touch for tailored advice!

What Happens if a Business Violates VCDPA?

If a business violates VCDPA, it can face fines up to $7,500 per violation. The Virginia Attorney General’s office oversees enforcement and gives businesses a chance to correct violations before imposing fines.

Worried about VCDPA compliance? Read our guides for a deep understanding of the data-protecting laws.

What is Considered Sensitive Data Under VCDPA?

Under VCDPA, sensitive data includes personal information that can reveal racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, and children’s data. Handling this type of data requires extra care and explicit consent from consumers.

Curious about managing sensitive data under VCDPA? Learn more with our in-depth guide on VCDPA Sensitive Data.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo with a compliance SuperHero or get started today.