Virginia Privacy Law: A 2023 VCDPA Overview

As of January 1, 2023, the Virginia Consumer Data Protection Act (VCDPA), has taken full effect in the Commonwealth. The primary goal of the act is to bring Virginia’s citizen protection up to speed with the challenges of modern life on the internet. Data protection and privacy are emerging areas of the law that will continue to expand and generate problems and challenges for both businesses and citizens in the Commonwealth, both now and into the foreseeable future. This blog summarizes some of the key features of the CDPA as it currently stands in Virginia.

What is the VCDPA, and to Whom Does It Apply?

The principal aspects of the VCDPA include expanded consumer privacy rights, a comprehensive definition of personal information, the creation of sensitive data in protection, and data protection requirements for those who manage and control data.[1] The VCDPA applies to persons who conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that:

  1. during a calendar year, control or process personal data of at least 100,000 consumers or
  2. control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.


Organizations subject to HIPAA, not-for-profit organizations, higher education institutions, financial institutions, and any data that is subject to the Gramm-Leach-Bliley Act are exempt from the requirements of the VCDPA.

What is “Personal Information” under the VCDPA?

Personal information is expansively defined under the VCDPA as “any information that is linked or reasonably linked to an identified or identifiable natural person.” In addition to the new personal information definition, the act creates a sub-category of personal data entitled “sensitive data” that includes:

  1. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. the personal data collected from a known child; or
  4. precise geolocation data.


Know Your Obligation: The Data Protection Assessment

Businesses that fall under the jurisdiction of the act will be required to “conduct and document a data protection assessment” if they process any sensitive data, sell personal data, or process personal data for targeted advertising or profiling purposes.[2]

While there is no private right of action created, enforcement is provided for by the Virginia Attorney General’s office and violations can result in fines up to $7,500 each.

If your business falls into a category subject to jurisdiction or you aren’t clear on whether you will be impacted, contact our attorneys to learn more.