What is the VCDPA Regulation? [2024 Comprehensive Guide]

Table of Contents

Navigating today’s digital landscape is no easy task, especially with laws like the Virginia Consumer Data Protection Act (VCDPA) coming into play.

But don’t worry – this article will be your guide to understanding VCDPA in its entirety. We’ll decode what it means for you and your business, compare it against other data protection laws, and outline essential steps toward compliance.

Whether you’re new to the subject or looking at refreshing existing knowledge of VCDPA, we’ve got all bases covered here!

So, let’s dive right in as we ensure that your business is fully compliant with the rules set by VCDPA!

Key Takeaways

The Virginia Consumer Data Protection Act is a big deal for medium and large businesses in Virginia. It says businesses have to be more careful and transparent about how they use people’s personal information.

The law gives regular people a lot more rights over their own data. Consumers can now ask to see, fix, or delete the personal info that businesses have collected about them.

If you don’t follow the rules, you could end up paying huge fines or getting sued. Businesses that deal with large amounts of Virginian resident data have to take VCDPA seriously and get expert help to make sure they’re in compliance.

What is the VCDPA?

The Virginia Consumer Data Protection Act (VCDPA), similar to GDPR and the California Consumer Privacy Act (CCPA), is a comprehensive law designed to safeguard the personal data of Virginia residents.

Effective from January 1, 2023, this law marks Virginia as the second state, following California, to implement such extensive consumer privacy legislation.

The VCDPA mandates that businesses meet certain criteria to fall under its jurisdiction. Specifically, it applies to entities that either control or process the personal data of at least 100,000 consumers in a year or those that handle the data of at least 25,000 consumers and derive over 50% of their gross revenue from selling this data.

A major focus of the law, like with the Colorado Privacy Act, is giving people more control over their personal info, including how cookies are used.

It lays out six basic rights, including being able to access, fix, and delete your data. You can also get a copy of your information in a format you can easily read and choose not to have your data used for targeted ads, sold, or profiled.

The law has extra rules, such as a requirement for opt-in consent and data protection assessments for sensitive information. Sensitive information includes race, religion, health, sexual orientation, where you were born, genetics, biometrics, data from anyone 13 or under, and your exact location.

Businesses that must abide by the VCDPA must now ensure they collect consent before they collect data.

Security is a huge part of the law, too. Businesses need to have reasonable admin, tech, and physical safeguards that protect the privacy, accuracy, and availability of people’s personal data. That means only collecting what they really need and having solid security practices in place.

Who Needs to Follow the VCDPA Regulation?

Businesses that handle a significant amount of consumer data in Virginia need to follow the VCDPA.

This means businesses that handle over 100,000 Virgninian resident data in a year or those that handle the data of at least 25,000 consumers and derive over 50% of their gross revenue from selling this data.

The main goal of the VCDPA is to protect Virginians’ personal data. It defines personal data as anything that could be connected back to a specific person. This covers everything from basic contact info to more private data like biometrics.

However, the VCDPA does not apply in the employment context.

If the VCDPA applies to your business, you’ve got additional responsibilities to comply with. You have to be upfront about how you use people’s personal data with a privacy notice. You need to give consumers certain rights over their own data, like being able to access it, fix mistakes, delete it, or transfer it somewhere else.

You also have to take steps to secure the data and make sure it doesn’t get misused or fall into the wrong hands, among other things.

Exemptions to VCDPA Regulation

Not all businesses need to comply with the VCDPA. Here are some key exemptions:

State and Local Government Entities: Any part of the Virginia state government or its political subdivisions is exempt.

Financial Institutions: Entities covered by the federal Gramm-Leach-Bliley Act, which mainly includes banks and similar institutions.

Healthcare Providers: Covered entities and business associates governed by the privacy, security, and breach notification rules of HIPAA.

Nonprofit Organizations: These are not required to comply with the VCDPA.

Educational Institutions: Colleges and universities are exempt from the VCDPA.

VCDPA Rights

The Virginia Consumer Data Protection Act (VCDPA) empowers consumers with several rights concerning their personal data. It’s crucial for businesses to understand these rights, as they directly impact how consumer data should be handled. It’s worth noting that that employee data is not covered under this law, though.

Right to Access and Delete Personal Data

Consumers should be able to see the personal info that businesses have about them. This means anytime someone wants, they can ask to look at the specific data a business has collected on them, and letting people see what’s being held gives them transparency.

Also, if someone doesn’t want their data kept anymore, they can tell the business to delete it. This right matters a lot to people worried about their privacy and controlling their personal info online.

The ability to delete is really important for digital privacy. If someone asks for their data to be removed, the business has to comply and destroy all of the data requested to be deleted.

This makes sure people have a say in how long their info sticks around. It’s a big step in giving people control over their digital footprint and protecting their privacy.

Right to Correct Inaccuracies

The VCDPA law says that consumers should be able to fix any wrong info that businesses have about them. This matters because it helps make sure the data businesses use is right. If someone sees a business has the wrong birthday or address for them, they can ask to change it.

This way, any choices the business makes based on that info, like sending offers or setting up an account, will be correct.

Fixing bad data helps both the consumer and the business, because it means fewer mistakes that could lead to misunderstandings or even lawsuits. So businesses need good processes to quickly fix any wrong customer data that gets reported to them.

Right to Data Portability

The VCDPA lets people ask for their personal info in a way that’s easy to use and move around. This data portability makes it simpler to change services or platforms without losing your stuff.

It’s useful if the consumer wants to switch businesses but keep your data. The business has to give the consumers their data in a common format their system can handle efficiently.

Data portability is a step towards enhancing consumer control over personal data. It encourages competition among businesses by making it easier for consumers to choose between different service providers without losing their data.

Right to Opt-Out of Certain Data Processing

The VCDPA allows consumers to opt out of certain types of data processing. This includes the right to stop their personal data from being used for targeted advertising, the sale of personal data, or profiling.

This right is crucial in giving consumers control over how their personal information is used, especially in contexts that might affect their privacy or autonomy.

Opting out of data processing is super relevant nowadays with all the digital marketing and big data analysis going on.

A consumer who cares about their privacy can use this law to keep their info from being used in ways that freak them out. For businesses, it means they gotta respect people’s choices and have straightforward ways for us to opt out of those kinds of data activities.

Virginia Consumer Data Protection Act Requirements

The Virginia Consumer Data Protection Act (VCDPA) is a significant step in data privacy, setting standards for businesses to responsibly handle personal data.

It’s essential for businesses to understand and comply with these requirements to ensure they are protecting consumer data effectively.

Data Protection Assessments

Businesses must conduct data protection assessments, a key aspect of corporate compliance, to evaluate the risks associated with processing personal data.

This is particularly crucial when dealing with targeted advertising, selling personal data, or engaging in profiling that could harm consumers. These assessments help businesses identify and mitigate potential risks to consumer privacy.

Obtaining clear and informed consent from consumers is a cornerstone of the VCDPA. Businesses must ensure that they have explicit consent for collecting and processing sensitive personal data. This means being transparent about the data being collected, how it will be used, and ensuring that consent is freely given.

Security Measures

Implementing robust security measures is non-negotiable under the VCDPA. Businesses are required to establish strong administrative, technical, and physical safeguards to protect personal data from unauthorized access or data breaches.

This includes regular updates and audits of security protocols, encrypted data, and having proper access controls.

Transparent Privacy Notice

Providing a clear and accessible privacy notice is mandatory. This notice should inform consumers about various different things, such as:

The types of data collected

The purposes of data processing

How it will be used or shared with third parties

How long the data is kept

How the data is stored and protected

Their rights regarding their personal data

Contact details for the data controller and/or data protection officer

Having a complete and easily accessibly privacy notice helps with transparency. Transparency builds trust and ensures compliance.

Fulfilling DSARs

Businesses must be prepared to fulfill Data Subject Access Requests (DSARs) efficiently. This involves allowing consumers to access, correct, or delete their personal data, as well as providing data in a portable format if requested. Timely and accurate response to these requests is crucial for compliance.

Businesses must respond within 45 days (and an additional 45 days if necessary) for each DSAR.

DSARs can be through any means – whether through social media messages, email, phone calls, or a form on your website.

Note: Don’t forget to verify the identity of the consumers requesting the data. If you give the data to an unauthorized individual, it may be considered a data breach.

Partnering with Captain Compliance

Ensuring compliance with the VCDPA can be challenging for businesses. That’s where outsourced compliance services can help your business. There’s a whole bunch of rules about protecting people’s information that businesses need to follow. At Captain Compliance, we get how confusing these laws can be.

Our team is full of experts on the ins and outs of the VCDPA. By working with us for outsourced compliance, businesses can be sure they’re doing everything by the book when it comes to consumer data and data subject rights.

We don’t take a one-size-fits-all approach. Every business is different, so we put together plans tailored to each client’s specific needs. We’ll dive in and thoroughly assess where you stand on compliance. Then, we will recommend strategies to get you up to speed, whether that’s overhauling your consent policies or upgrading security measures.

The goal is to ensure compliance so you can focus on your main operations with confidence that your data compliance is on point. With Captain Compliance in your corner, staying on the right side of the VCDPA doesn’t have to be a headache.

Penalties for Non-Compliance with the Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA) sets forth specific rules and regulations that businesses must adhere to in order to protect consumer data. Non-compliance with these regulations can lead to significant consequences for businesses.

For each violation of the VCDPA, the business can be fined up to $7,500. So, if there are a bunch of violations or a whole lot of consumers are affected, the total fines can add up fast.

The Virginia Attorney General is the main person responsible for enforcing the Virginia Consumer Data Protection Act (VCDPA). So, if a business breaks the law under the VCDPA, the Attorney General will take legal action against them.

Before the Attorney General sues a business, they have to give them a 30-day heads up, and this notice spells out exactly how the business violated the VCDPA. The business then has 30 days to fix the problems and stop breaking the law, known as the right to cure.

If a business either fails to rectify the violation within the 30-day period or continues to violate the VCDPA after assuring compliance, the Attorney General can initiate legal action. This can include seeking an injunction to prevent further violations and imposing civil penalties.

Here’s an important thing to know – private consumers living in Virginia can’t sue businesses directly for breaking the VCDPA. Only the Attorney General can take legal action to enforce the law.


The new Virginia Consumer Data Protection Act can be complicated for businesses to figure out. It’s not just about checking boxes and following regulations. It’s really about showing consumers that you care about their privacy and gaining their trust. That’s where Captain Compliance comes in to help.

We can customize plans to make compliance work for your specific business, and whether you need a risk review or help dealing with consumer data requests, our pros can walk you through it.

Not sure how to wrap your head around these new laws? Get in touch with us at Captain Compliance. Let’s partner up to ensure your compliance and make consumers feel secure.


What is the VCDPA, and Who Does it Affect?

The Virginia Consumer Data Protection Act (VCDPA) is a law that protects the personal data of Virginia residents.

It applies to businesses that handle large amounts of consumer data. This includes businesses that process data of 100,000 consumers or earn 50% of their revenue from the data of 25,000 consumers.

Wondering if your business falls under the VCDPA? Learn more about who needs to comply in our education section!

How Does VCDPA Differ from Other Data Privacy Laws?

VCDPA is similar to California’s CCPA and CPRA but has its unique points. It focuses more on consumer consent and data protection assessments. It’s like having a specific rulebook for data privacy in Virginia.

Confused about the differences? Compare VCDPA with CCPA laws here.

What Rights Do Consumers Have Under VCDPA?

Under VCDPA, consumers have rights like accessing, correcting, and deleting their data. They can also move their data and opt out of certain data uses. It’s about giving people more say over their personal info.

Need to understand consumer rights better? Get in touch with us!

What Are the Penalties for Not Following VCDPA?

Not following VCDPA can lead to fines of up to $7,500 per violation. It’s like getting a big fine for not following important rules. The Virginia Attorney General enforces these rules.

Worried about penalties? Captain Compliance is on your side!

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a free 30-day trial now.