Platform
- The Osano Platform Overview
  
  Get an overview of the simple, all-in-one data privacy platform
- Cookie Consent
  
  Manage consent for data privacy laws in 50+ countries
- Unified Consent & Preference Hub
  
  Streamline consent, utilize non-cookie data, and enhance customer trust
- Subject Rights Management
  
  Streamline and automate the DSAR workflow
- Data Mapping
  
  Automate and visualize data store discovery and classification
- Vendor Privacy Risk Management
  
  Ensure your customers’ data is in good hands
- Assessments
  
  Efficiently manage assessment workflows using custom or pre-built templates
- Features & Integrations
- Privacy Templates
- GDPR Representative
- Consult Privacy Team
- Regulatory Guidance
- Integrations
Solutions
- By Regulation
- CPRA
  
  Discover how Osano supports CPRA compliance
- CCPA
  
  Learn about the CCPA and how Osano can help
- GDPR
  
  Achieve compliance with one of the world’s most comprehensive data privacy laws
- By Organization Type
- Start-Up
  
  Don’t let data privacy compliance get in the way of growth
- Mid-Sized
  
  Preserve your competitive edge
- Enterprise
  
  Manage data privacy at scale
- By Use Case
- Consent Management
  
  Manage consent without the complexity
- DSAR Automation
  
  Never miss a DSAR deadline again
- Vendor Risk Management
  
  Regain insight and control over your customers’ data
- Privacy Program Management
  
  Build and grow an end-to-end privacy program
Resources
- View All Resources
- Articles
  
  Expert insights on all things privacy
- Resource Center
  
  Key resources to further your data privacy education
- U.S. Data Privacy Laws
  
  A guide to data privacy in the U.S.
- Topics
  
  Research the most essential privacy topics
- Newsletter
  
  Subscribe and become a Privacy Insider
- Our Pledge
  
  No fines, no penalties
- Product Updates
  
  What’s the latest with Osano?
- System Status
  
  What’s the status of account management systems, the platform, and support systems?
Stay in the loop with data privacy.
Get Your Copy of the Book
Company
- About Us
  
  The Osano story
- Careers
  
  Become an Osanian and help us build the future of privacy!
- Contact
  
  We’re eager to hear from you
- Our Pledge
  
  No fines, no penalties
- Data Licensing
  
  Add Osano data privacy ratings and recommendations to your application
- Osano Swag Store
- Press & Media
  
  Inquiries and Osano in the news
- Partners & Resellers
  
  Interested in partnering with us?
Pricing
Sign In Book a Demo

US Privacy Law

What Is the Virginia's Consumer Data Protection Act (VCDPA)?

Osano Staff

May 21, 2021

Sign up for our newsletter

Take a close-up look into the Virginia's Consumer Data Protection Act (VCDPA).

What Is the VCDPA?

Virginia's Consumer Data Protection Act (VCDPA), which went into effect January 1, 2023, grants Virginia consumers rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected and with whom it's shared.

The law aims to establish a framework that protects the rights and interests of Virginia residents and lays out comprehensive guidelines for businesses that process personal information of Virginia residents. It imposes various obligations on these entities to safeguard consumer privacy and ensure responsible data handling practices. By setting clear standards and requirements, the VCDPA seeks to create a more transparent and accountable environment for businesses and consumers alike.

Who Is Subject to the VCDPA?

It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also do one of the following:

Control or process the personal data of 100,000 or more;
Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information.

VCDPA Requirements

Businesses that meet the above criteria must:

Provide consumers with a clear privacy notice that includes a way for consumers to opt-out of targeted advertising.
Comply with certain consumer requests (such as providing access to their personal data) within 45 days.
Obtain opt-in consent for sensitive data processing.
Disclose to consumers if their data will be sold. Notably, the VCDPA’s definition of a “sale” only covers monetary transactions, while other laws also include transactions involving other valuable considerations.
Allow consumers to opt out of having their data sold.
Allow consumers to delete their data.

You’ll notice that consumers must opt in first before businesses can collect their sensitive data. Under the VCDPA, sensitive data includes personal data that reveals religious beliefs, racial or ethnic origin, mental or physical health, citizenship or immigration status, or sexual orientation. Additionally, processing genetic or biometric data specifically to uniquely identify an individual is considered sensitive data, as well as the personal data from a known child or specific geolocation data.

What Consumer Rights Does the VCDPA Grant?

The VCDPA grants Virginia residents the right to control what happens with data collected about them. Specifically, the law allows consumers:

The right to opt-out of behavioral advertising.
The right to delete their data.
The right to opt-out of the sale of their personal data.
The right to data portability (the ability to transfer data from one platform to another).

When a controller receives a subject rights request, they must respond within 45 days but can request a 45-day extension if the request is of a particularly high volume or complexity.

Controllers can also decline requests, but they must include a valid justification for declining the request—for example, if the request was vexatious in nature.

What Is a Service Provider Under VCDPA?

Under the VCDPA, service providers are considered "processors." A processor would refer to any entity performing a task for the data "controller"—the company collecting the data and deciding how to use it.

Under the VCDPA, controllers and processors have to contractually agree that the processor will delete or return all personal data at the controller's request, and processors can't use additional service providers unless they've contractually agreed to meet the VCDPA's requirements.

What Are the Rules on Targeted Advertising?

Some of the law's critics have said the bill should be more restrictive in its provisions on targeted advertising. Consumers have the right to opt out of their data being used for targeted advertising. The law defines targeted advertising as the use of Virginians' personal data to deliver advertisements based on data from third-party websites or apps in order to predict preferences or interests.

But the law does not apply to:

Ads based on activities within a data controller's own website or app.
Ads based on a consumer's search query, website visit or online application.
Ads directed to a consumer based on their request for information.
Personal data processed only to measure or report advertising performance/reach.

VCDPA Penalties

The Virginia Attorney General will enforce the law. While it does not contain a private right of action as a consumer redress tool, it does allow the attorney general to seek civil penalties of up to $7,500 per violation.

Comparing VCDPA to CCPA and CPRA

Below is a chart comparing some of Virginia's law with both the California Consumer Privacy Act (CCPA), which became effective in 2018, and the law that will replace it on Jan. 1, 2023, the Consumer Privacy Rights Act (CPRA).

	CCPA	CPRA	VCDPA
Enforcement	California Attorney General’s Office	California Privacy Protection Agency	Virginia Attorney General's Office
Profiling	N/A	Consumers can opt-out of automated decision-making	Consumers can opt-out of profiling that produces "legal or significant effects," including for housing, employment and educational eligibility, for example
Sensitive data	N/A	Businesses must disclose how they collect, use and disclose Consumers may opt-out of the use of their sensitive data	Consumers must opt-in to the collection and use of their sensitive data for processing
Data minimization	N/A	Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose	Businesses must only collect and retain what is adequate, relevant and reasonably necessary to the purpose, and that must be disclosed to consumers
Consumer remedies	Consumers may file a private right of action when lack of reasonable security leads to a breach	CCPA, plus consumers can file a private right of action if data breached includes consumer’s email address and password or security question	Companies must establish a process for consumers to submit complaints No private right of action
Data Protection Impact Assessments	N/A	Required, specific rules to be determined by forthcoming rulemaking	Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm"
Deletion	Businesses must fulfill validation consumer requests to delete their data	Businesses fulfilling legitimate deletion requests must also notify third parties to delete such information	Businesses must delete personal data provided by or obtained via the consumer
Opt-out links	Businesses must have a “Do not sell my personal information” link	Businesses must have a “Do not share my personal information” link and a “Limit the use of my personal information” link	Virginia requires users to be able to opt out of the sale of personal information, targeted advertising, and profiling.
Fines	Up to $7,500 per violation or $2,500 per unintentional violation	Automatic $7,500 fine for violations of minors’ data (children under the age of 16)	Up to $7,500 per violation

Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now

Osano Staff

The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”

Blog

Check out some of our latest articles

Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.

View All Blog Posts View All Resources

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.

Book a Demo

Cookie Consent

Unified Consent & Preference Hub

Subject Rights Management

Data Mapping

Vendor Privacy Risk Management

Assessments

Privacy Templates

GDPR Representative

Consult Privacy Team

Regulatory Guidance

Integrations

CPRA

CCPA

GDPR

Start-Up

Mid-Sized

Enterprise

Consent Management

DSAR Automation

Vendor Risk Management

Privacy Program Management

Articles

Resource Center

U.S. Data Privacy Laws

Topics

Newsletter

Our Pledge

Product Updates

System Status

About Us

Careers

Contact

Our Pledge

Data Licensing

Osano Swag Store

Press & Media

Partners & Resellers

US Privacy Law

What Is the Virginia's Consumer Data Protection Act (VCDPA)?

Osano Staff

In this article

Sign up for our newsletter

Share this article

What Is the VCDPA?

Who Is Subject to the VCDPA?

VCDPA Requirements

What Consumer Rights Does the VCDPA Grant?

What Is a Service Provider Under VCDPA?

What Are the Rules on Targeted Advertising?

VCDPA Penalties

Comparing VCDPA to CCPA and CPRA

Privacy Policy Checklist

Osano Staff

Osano Staff

Share this article

Blog

Check out some of our latest articles

Privacy Assessments

PIA vs. DPIA: What’s the Difference?

EU Privacy Law

Privacy Assessments

DPIA Template: Follow These Steps for Your Data Protection Impact Assessments

Essentials

Vendor Management

EU Privacy Law

US Privacy Law

What Is a DPIA (Data Protection Impact Assessment)?

Simplify Data Privacy Compliance