Skip to content

The Virginia Consumer Data Protection Act Goes Into Effect January 1, 2023

Why This Privacy Law is Important:

Signed into law on March 2, 2021, the Virginia Consumer Data Protection Act (VCDPA) was the second comprehensive state privacy law, following California, but the first to be initiated by the state legislature. It goes into effect on January 1, 2023, the first of four state privacy laws to begin enforcement this year.


While the VCDPA draws substantially from its predecessors in California, that state’s legislature enacted the CCPA to preempt a ballot initiative in 2018, while the CPRA was passed as a ballot initiative by California voters. Companies doing business in Virginia or marketing to Virginians will need to have implemented measures to ensure their collection and use of consumer personal information and meets the requirements of the law.

The VCDPA will grant Virginia residents the rights to access, correct, delete, know, and opt-out of the sale and processing for targeted advertising purposes of their personal information, similar to the CCPA and CPRA. In other respects, VCDPA aligns with GDPR, including the adoption of data protection assessment requirements and “controller” and “processor” terminology.

Like the CCPA/CPRA, the VCDPA limits businesses’ collection and use of personal data and requires the implementation of technical safeguards. The VCDPA explicitly limits the collection and processing by controllers of personal data to that which is reasonably necessary and compatible with the purposes previously disclosed to consumers. Also, the VCDPA requires that businesses establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data,” as appropriate to the volume and nature of the personal data at issue.

The VCDPA requires controllers to conduct “data protection assessments” to evaluate the risks associated with processing activities that pose a heightened risk—such as those related to sensitive data and personal data for targeted advertising and profiling—and the sale of personal data. Unlike the GDPR, however, the VCDPA does not specify the frequency with which these assessments must occur. Like Article 28 of the GDPR, the VCDPA also requires that the controller-processor relationship be governed by a data processing agreement. The VCDPA does not displace or amend businesses’ existing obligations under Virginia law to report data breaches.

Download the Privacy Alert to the right to get the full text and expert analysis