Virginia Data Privacy Rights: VCDPA Guide for Data Broker Opt-Outs (2026)
Virginia's VCDPA was one of the first comprehensive privacy laws after California. It includes a unique internal appeals requirement and is particularly relevant for the large population of federal employees and security clearance holders in the DC-Virginia area.
Virginia's Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, making Virginia one of the first states after California to enact comprehensive consumer privacy legislation. With over 8 million residents and a large population of federal employees, contractors, and military personnel with heightened privacy concerns, Virginia's law has significant practical implications for data broker removal.
What the Virginia Consumer Data Protection Act Covers
The VCDPA applies to businesses that:
- Control or process personal data of at least 100,000 Virginia consumers per year, OR
- Control or process personal data of at least 25,000 Virginia consumers AND derive over 50% of gross revenue from selling personal data
The law covers businesses operating in Virginia or targeting products/services to Virginia residents, regardless of where the business is headquartered.
Core Consumer Rights Under VCDPA
Right to Access: Virginia residents can request confirmation of whether a company processes their personal data and access to that data.
Right to Correct: You can request correction of inaccurate personal data.
Right to Delete: You can request deletion of personal data you provided or that was collected about you through your activities.
Right to Data Portability: You can request a copy of your personal data in a portable, commonly used format.
Right to Opt Out of Sale: You can opt out of the sale of your personal data to third parties.
Right to Opt Out of Targeted Advertising: You can opt out of targeted advertising based on your personal data.
Right to Opt Out of Profiling: For profiling that produces legal or similarly significant effects, opt-out rights apply.
What Makes Virginia's Law Distinctive
Appeals mechanism: VCDPA requires businesses to establish an internal appeals process for denied consumer requests. If a data broker denies your deletion request, you can formally appeal within the company. If the appeal is also denied, you can file a complaint with the Virginia Attorney General.
Sensitive data opt-in: VCDPA requires businesses to obtain opt-in consent before processing sensitive categories of personal data. Sensitive categories include:
- Racial/ethnic origin
- Religious beliefs
- Mental or physical health
- Sexual orientation
- Immigration status
- Genetic data
- Biometric data used for identification
- Children's data (under 13)
- Precise geolocation data
No private right of action: Like Texas, Virginia's VCDPA has no private right of action — enforcement is exclusively through the AG's office.
Deidentification safe harbor: Businesses that properly deidentify data (removing all personal identifiers) are not subject to VCDPA for that deidentified data.
How to Exercise VCDPA Rights Against Data Brokers
Step 1: Identify covered data brokers
All major data brokers (WhitePages, Spokeo, BeenVerified, Intelius, TruthFinder) process the data of well over 100,000 Virginia residents and are subject to VCDPA.
Step 2: Submit deletion requests
Use the standard opt-out forms on each data broker's privacy page — these are designed to comply with VCDPA and CCPA simultaneously. For formal VCDPA requests, include the citation:
"Pursuant to the Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.), I am requesting deletion of all personal data you have collected, processed, or shared about me as a Virginia consumer. Please confirm receipt and expected deletion timeline."
Step 3: If denied, invoke the appeal process
VCDPA requires data brokers to provide an appeals mechanism. If your deletion request is denied, request the internal appeals process. If the appeal is denied, file a complaint with the Virginia AG at oag.state.va.us.
Step 4: File AG complaints for non-compliance
Data brokers that fail to respond within 45 days (or the extended period with proper notice) or that fail to provide a functioning appeal mechanism face enforcement action from the Virginia AG.
Virginia Residents and Federal Employee Privacy Concerns
Virginia has a uniquely large population of federal employees, defense contractors, and intelligence community workers — the DC/Northern Virginia/Maryland metro area is home to the largest concentration of security clearance holders in the US. For this population, data broker exposure is not just a personal privacy inconvenience — it is potentially a security concern.
Federal employees and contractors with security clearances should review their data broker exposure through the lens of the data removal for military personnel guide and consult with their agency's security officer about additional steps.
VCDPA Compared to Other State Laws
| Feature | Virginia VCDPA | California CCPA | Texas TDPSA | Colorado CPA |
|---|---|---|---|---|
| Effective date | Jan 1, 2023 | Jan 1, 2020 | Jul 1, 2024 | Jul 1, 2023 |
| Right to delete | Yes | Yes | Yes | Yes |
| Right to correct | Yes | Yes | Yes | Yes |
| Opt out of sale | Yes | Yes | Yes | Yes |
| Sensitive data | Opt-in consent | Enhanced | Opt-in consent | Opt-in consent |
| Appeals required | Yes | No | No | Yes |
| Private right of action | No | Limited | No | No |
| Enforcement | AG | CPPA | AG | AG |
Virginia's appeal mechanism requirement is relatively distinctive — most states do not require businesses to have a formal internal appeal process for denied privacy requests.
Practical Data Broker Opt-Out Steps for Virginia Residents
Submit deletion requests to all major data broker sites. VCDPA gives you legally binding deletion rights against covered businesses. For any broker that adds unusual friction or denies a request, escalate to formal VCDPA request language and, if necessary, the AG.
For comprehensive coverage of all 500+ data brokers, OfflistMe handles all submissions in a single session. One-time pricing: $7.00 for a 24-hour removal, $90.00 ($45.00 currently at 50% OFF) for annual monitoring. Start your removal here.
Frequently Asked Questions
Does Virginia VCDPA apply to all companies processing my data, including small businesses?
VCDPA has size thresholds (100,000 consumers/year or 25,000 consumers + 50% of revenue from data sales). Small businesses below these thresholds may not be covered, but most major data brokers clearly exceed the thresholds.
Can I use VCDPA rights even if the data broker is not based in Virginia?
Yes. VCDPA applies based on where consumers are located, not where the business is headquartered. A data broker headquartered in California that processes Virginia residents' data is subject to VCDPA.
What is the timeline for Virginia data brokers to respond to deletion requests?
45 days from receipt of the request. The company may take an additional 45 days if they notify you of the extension and the reason within the first 45 days.
I filed a VCDPA deletion request and it was denied. What do I do?
Request the company's internal appeal process — VCDPA requires businesses to provide one. If the appeal is denied, file a complaint with the Virginia Attorney General's Office at oag.state.va.us/consumer-protection.
Virginia's Federal Employee Population: A Special Privacy Note
The DC/Northern Virginia/Maryland metro area is home to the largest concentration of federal employees, defense contractors, and intelligence community workers in the United States. Fairfax County, Arlington, Loudoun, and Prince William counties collectively house hundreds of thousands of individuals with active security clearances — ranging from contractors at defense firms in Tysons and Reston to federal agency employees at the Pentagon, NRO, NGA, DHS, and dozens of other agencies.
For this population, the privacy stakes of data broker exposure are categorically different from those facing a typical consumer. Data broker profiles — which typically contain current home address, household members' names, employer, phone number, and often vehicle information — are exactly the type of personal information that foreign intelligence services routinely attempt to collect about US cleared personnel. The Office of the Director of National Intelligence has issued public guidance acknowledging that commercial data broker databases represent a collection vector for adversarial intelligence operations targeting US government employees.
The VCDPA gives Northern Virginia's federal employee population a direct legal tool to suppress their personal data from commercial databases. Unlike security clearance review processes, which are employer-driven, VCDPA deletion rights are individual: cleared employees can submit deletion requests to data brokers directly, without going through their agency, and can cite Virginia law to create legally binding obligations on covered businesses.
Key considerations for federal employees exercising VCDPA rights:
- VCDPA deletion rights apply to data brokers operating commercially, which includes all major people-search sites
- Submitting VCDPA-cited deletion requests creates a legal record of the request and the broker's response
- For particularly sensitive individuals (counterintelligence roles, special access programs), consulting with a security officer before interacting with data broker sites is advisable — some agencies have guidance on this
- Household members of cleared employees are equally exposed and should be considered for parallel removal requests
Practical Virginia Opt-Out Strategy
Virginia residents have a clear four-step process for exercising VCDPA rights against data brokers, with escalation options if brokers fail to comply.
Step 1: Use VCDPA language in all deletion requests. Do not rely on generic opt-out forms alone. Include explicit VCDPA citation in your request. A brief addition to any opt-out submission is sufficient:
"Pursuant to the Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.), I am requesting deletion of all personal data you have collected, processed, or shared about me. Please confirm receipt and expected completion timeline within the 45-day statutory window."
This language routes your request through the legal compliance process rather than the standard customer service queue, typically resulting in faster and more thorough responses.
Step 2: Know your 45-day timeline. VCDPA requires data brokers to respond within 45 days of receiving a deletion request. The company may extend this by an additional 45 days with written notice and explanation. If you do not receive any response within 45 days, you have grounds for an AG complaint.
Step 3: Invoke the appeals process for denied requests. Virginia's VCDPA specifically requires businesses to establish an internal appeals mechanism — this is distinctive among state privacy laws. If a broker denies your deletion request, request their internal appeals process by name. Most major data brokers have published appeal instructions in their privacy policies. Invoking the appeals process creates a documented escalation trail.
Step 4: File AG complaints for non-compliance. Data brokers that fail to respond within the statutory window, fail to provide a functioning appeal mechanism, or deny requests without valid grounds can be reported to the Virginia Attorney General's Consumer Protection Division. File complaints at oag.state.va.us/consumer-protection. The AG has civil penalty authority of up to $7,500 per violation, which creates meaningful compliance incentive for covered businesses.
For comprehensive coverage of all 500+ data brokers, OfflistMe's templates include VCDPA-cited language appropriate for Virginia residents. Start your removal here.
Related Guides
Understand your privacy rights
Every removal request cites a specific statute. These plain-English explainers show what each law covers and how enforcement actually works.
Related Data Broker Removal Guides
Take back your privacy today
Remove your personal information from data brokers and platforms in seconds.
Remove Your Personal Data NowFrom $7.00 one-time · 500+ data brokers · No subscription