← Back to Blog

VCDPA Explained: Virginia's Privacy Law and What It Means for Your Online Store

The Virginia Consumer Data Protection Act sets the template for most US state privacy laws. Here's what it requires, who it applies to, and how to comply.

2026-03-01

The Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, making Virginia one of the first states after California to pass a comprehensive privacy law. It has since become the blueprint that most other state privacy laws are modeled after.

If you sell online and have customers in Virginia, this law almost certainly applies to you.

Who Does the VCDPA Apply To?

The VCDPA applies to businesses that conduct business in Virginia or target Virginia residents and meet either threshold:

  • Control or process personal data of at least 100,000 Virginia consumers per year, OR
  • Control or process personal data of at least 25,000 Virginia consumers and derive over 50% of gross revenue from selling personal data

Important note: "Processing" is broadly defined. If your website drops cookies or loads tracking scripts for Virginia visitors, you're processing their data.

What Rights Do Virginia Consumers Have?

Under the VCDPA, Virginia residents can:

  • Access their personal data
  • Correct inaccurate personal data
  • Delete their personal data
  • Obtain a copy of their data in a portable format
  • Opt out of the sale of personal data, targeted advertising, and profiling

You must respond to consumer requests within 45 days, with a possible 45-day extension if you notify the consumer.

What Does the VCDPA Require from Businesses?

1. Privacy Notice

You must provide a clear, accessible privacy policy that discloses:

  • Categories of personal data you process
  • The purpose for processing
  • How consumers can exercise their rights
  • Categories of data shared with third parties
  • Whether you sell personal data or use it for targeted advertising

2. Data Protection Assessments

If you engage in any of the following, you must conduct a Data Protection Assessment:

  • Targeted advertising
  • Selling personal data
  • Profiling that presents a risk of harm
  • Processing sensitive data
  • Any processing that presents a heightened risk of harm

3. Sensitive Data

You cannot process sensitive data without explicit opt-in consent. Sensitive data includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Health diagnosis data
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data
  • Children's data (under 13)
  • Precise geolocation data

4. Opt-Out Requirements

If you sell data or use targeted advertising, you must provide a clear opt-out mechanism. Virginia does not currently mandate honoring Global Privacy Control (GPC) signals, but many businesses choose to honor them as best practice.

How Is the VCDPA Different from CCPA?

| | VCDPA (Virginia) | CCPA (California) |

|---|---|---|

| Revenue threshold | None | $25 million |

| Consumer threshold | 100,000 or 25,000 + revenue | 50,000+ consumers |

| Private lawsuits | No | Yes (for data breaches) |

| Cure period | 30 days (expired Jan 2025) | None |

| GPC required | No | Yes |

| Enforcement | VA Attorney General only | CA AG + CPPA + private suits |

| Fines | Up to $7,500 per violation | Up to $7,500 per violation |

The VCDPA is enforced exclusively by the Virginia Attorney General. There is no private right of action, which makes it less risky than CCPA from a lawsuit perspective — but AG enforcement actions can still be devastating.

Your VCDPA Compliance Checklist

If you run an online store with Virginia customers:

  • Privacy policy covering all required disclosures
  • Cookie consent banner with opt-out for non-essential cookies
  • "Do Not Sell" link in your footer if you use ad trackers
  • Consumer request process for access, delete, correct, and portability
  • Sensitive data consent — opt-in before collecting any sensitive categories
  • Data protection assessments if you run targeted advertising
  • Vendor agreements with any third parties who process data on your behalf

Check Your Compliance

The fastest way to see where your store stands against the VCDPA is to scan it. ClearConsent checks your site against all 19 active US state privacy laws — including the VCDPA — in under 60 seconds. It detects your trackers, cookies, and compliance gaps, then tells you exactly what to fix.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free