What Is the Virginia Consumer Data Protection Act?
VCDPA applies to persons conducting business in Virginia who process personal data of 100,000+ Virginia consumers, or 25,000+ consumers while deriving 50%+ of revenue from selling personal data. Rights include access, deletion, correction, portability, and opt-out of targeted advertising, sale, and profiling. The law is enforced exclusively by the Attorney General with a 30-day cure period and civil penalties up to $7,500 per violation. No private right of action.
At a glance
- Full name
- Virginia Consumer Data Protection Act
- Short code
- VCDPA
- Effective date
- January 1, 2023
- Response deadline
- 45 days
- Cure period
- 30 days
- Private right of action
- No
- Enforcement
- Virginia Attorney General
- Maximum penalty
- Up to $7,500 per violation
- Statutory citation
- Va. Code § 59.1-575 et seq.
Who VCDPA applies to
A business is covered if it meets the applicability thresholds set out in Va. Code § 59.1-575 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Controls or processes personal data of at least 100,000 Virginia consumers in a calendar year, OR
- Controls or processes personal data of at least 25,000 Virginia consumers AND derives over 50% of gross revenue from the sale of personal data
Consumer rights under VCDPA
Right to delete personal data (§ 59.1-577)
Right to opt out of sale, targeted ads, and profiling
Right to appeal denied requests
AG exclusive enforcement, $7,500/violation
Notable features (vs. CCPA)
VCDPA was explicitly modeled on the EU's GDPR (consent-based, controller/processor terminology) rather than CCPA. It was the first US state law to require data protection assessments (DPAs) for high-risk processing. Employee and B2B data are excluded — a significant scope difference from CCPA.
Enforcement & penalties
Enforcing agency: Virginia Attorney General
Maximum penalty: Up to $7,500 per violation
Cure period: Businesses had a 30-day cure period under the original VCDPA; this remains in effect and has not been sunset.
Private right of action: VCDPA has no private right of action. Enforcement is exclusive to the Virginia Attorney General.
Where to file a complaint: Virginia Office of the Attorney General
How to exercise your VCDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 300+ known brokers and applies VCDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Virginia resident (e.g., ZIP code, email associated with your record).
- 3
Under VCDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Virginia Office of the Attorney General at https://www.oag.state.va.us/consumercomplaintform.
Use your rights
VCDPA-compliant deletion emails, $5 one-time
OfflistMe drafts VCDPA-compliant deletion emails for 300+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
How is VCDPA different from California's CCPA?+
VCDPA is narrower — it does not include a private right of action, has higher scope thresholds, and does not cover employee/B2B data. But response windows and deletion rights are functionally similar for most consumer data broker requests.
Can I sue a data broker under VCDPA?+
No. VCDPA has no private right of action. All enforcement runs through the Virginia Attorney General's office. File complaints at oag.state.va.us.
Official sources & citations
Compare with sibling state laws
VCDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date — useful when tracking how this law influenced or was influenced by neighbouring legislation: