Make Sure You're Complying with the Virginia Consumer Data Protection Act with this Checklist from Exterro
The Virginia Consumer Data Protection Act (VCDPA), which went into effect on January 1, 2023, has become the "gold standard" for state privacy laws outside of California. As we move through 2026, the law has seen critical updates—particularly regarding children's privacy and social media restrictions—that every covered business must now navigate.
Whether you're a seasoned compliance officer or a small business reaching the threshold for the first time, this checklist captures the core requirements and the 2025–2026 amendments.
VCDPA 2026 Readiness Checklist
1. Confirm Your Scope & Thresholds
The VCDPA doesn't apply to every business. You are only in scope if you conduct business in Virginia (or target its residents) and meet one of two criteria:
- Volume: You control or process the personal data of at least 100,000 Virginia consumers.
- Data Monetization: You control or process the data of at least 25,000 Virginia consumers AND derive over 50% of your gross revenue from the sale of that data.
Note on Exemptions: Unlike some other states, Virginia provides broad entity-level exemptions. If your entire organization is a non-profit, a higher education institution, or a financial institution subject to the GLBA, you are generally exempt from the VCDPA.
2. Implement the "Right to Opt-Out" (Updated 2026)
Virginia is primarily an "Opt-Out" regime for standard personal data. You must provide a clear way for consumers to stop the processing of their data for:
- Targeted advertising.
- The sale of personal data.
- Profiling that produces legal or "similarly significant" effects.
3. Handle Sensitive Data (Strict "Opt-In")
While standard data is opt-out, Sensitive Data is strictly Opt-In. You cannot collect or process the following without prior affirmative consent:
- Precise geolocation (within a radius of 1,750 feet).
- Racial or ethnic origin, religious beliefs, or sexual orientation.
- New for 2025/2026: Heightened protections and specific consent requirements for reproductive and sexual health information.
- Biometric or genetic data used for unique identification.
4. Children’s Privacy: The 2025/2026 Shift
The most significant changes to the VCDPA recently involve minors.
- Under 13: Must follow COPPA-level parental consent.
- Under 16 (Effective Jan 1, 2026): New amendments require social media platforms to use "commercially reasonable methods" to identify minors. If identified, platforms must implement a default one-hour daily time limit unless a parent provides verifiable consent to change it.
5. Data Protection Assessments (DPAs)
You are legally required to conduct and document a formal DPA for "high-risk" processing activities, including:
- Processing sensitive data.
- Selling personal data.
- Targeted advertising.
- Any profiling that risks unfair/deceptive treatment or financial/reputational injury.
6. Manage Third-Party Relationships
Data integrity is only as strong as your weakest vendor. The VCDPA requires mandatory contracts between "Controllers" (you) and "Processors" (your vendors) that:
- Set the duration and purpose of processing.
- Require the processor to ensure confidentiality.
- Obligate the processor to delete or return data at the end of the service.
Enforcement & Penalties
There is no private right of action in Virginia (consumers cannot sue you directly). Only the Attorney General has enforcement power.
- The "Right to Cure": Virginia offers a permanent 30-day cure period. If the AG notifies you of a violation, you have 30 days to fix it and provide a written statement that no further violations will occur to avoid fines.
- Fines: Up to $7,500 per violation.
Download the Complete Virginia Compliance Checklist Here
