Virginia Senate Passes Consumer Data Protection Act


ACA Compliance Group

Publish Date


Cyber Alert


  • Cybersecurity
  • Privacy

On February 3, 2021 the Virginia Senate unanimously passed the Virginia Consumer Data Protection Act (VCDPA). This data privacy law would grant privacy rights and consumer protection to Virginia residents.

Virginia legislators are working to reconcile their version of the bill for the law with a parallel bill from the state’s House, after which the law would be sent to the Virginia governor for final approval. If approved by the governor, the law is set to go into effect on January 1, 2023.

The VCDPA shares many features with California’s Consumer Privacy Act (CCPA), the upcoming modifications under the California Privacy Rights Act (CPRA), and the European Union’s General Data Protection Regulation (GDPR).

Key Features

Key features of the VCDPA include:

  • Application – The law would apply to businesses that process or control data for 100,000 or more Virginians, or businesses that get 50% of their revenue from selling or processing consumer data from 25,000 or more Virginians.
  • Consumer Definition – The law defines consumers as residents of Virginia “acting in an individual or household context.” It does not include individuals in employment and commercial contexts.
  • Exemption – The law would exempt financial institutions or data subject to the GLBA, entities subject to HIPAA, nonprofits, and higher education institutions.
  • Penalties – The law would be enforced exclusively by the Virginia Attorney General’s office. There is no private right of action. Entities in suspicion of violating the law would be given 30 days’ notice with an opportunity to cure the violation. If the violation is not cured, penalties would be $7,500 per violation.
  • Personal Data – The law defines personal data as “any information reasonably linkable to an identified or identifiable natural person.”
  • Sensitive Data – The law includes compliance obligations regarding sensitive data, i.e., personal data that reveals race, ethnicity, religion, sexual orientation, citizenship, physical/mental diagnosis, genetic data, biometric data, geolocation data, data from a known child, and more. Sensitive data cannot be processed without prior consent and without a documented data protection assessment.
  • Data Protection Assessments – The law requires controllers to conduct written data protection assessments for specific activities related to personal data, including targeted advertising, sale, profiling, and more.
  • Personal Data Rights – Virginia consumers have personal data rights, including:
    • Confirming and accessing personal data being processed
    • Correcting inaccurate personal data
    • Deleting personal data
    • Obtaining usable copies of personal data
    • Opting out of the processing of personal data (targeted advertising, personal data sale, profiling for legal or other effects)

ACA Guidance

The VCDPA provides another example of states taking action to ensure data privacy rights for their citizens. Data privacy legislation continues to be pursued in other states, including New York, Florida, Oklahoma, Washington, and Minnesota. Whether data privacy legislation will ultimately be enacted on a national level remains to be seen.

It would be wise for firms to prepare well in advance of the proposed enactment of the legislation in January 2023, including taking the following actions:

  • Analyze existing data handling practices
  • Examine data inventories
  • Assess and address gaps regarding regulatory requirements

Taking those actions can mitigate issues down the line. This is the case for companies to whom the VCDPA applies, as well as on a general level for all firms, considering the expectation of future privacy legislation at the state and/or federal levels.

ACA will continue to monitor developments and will publish a more robust FAQ about the VCDPA should the governor sign it into law.

How We Help

ACA Aponix provides a wide range of data privacy gap assessments and advisory services.

We help companies assess their privacy programs to ensure regulatory compliance. We help firms implement best practices for achieving broader privacy risk and compliance objectives across the enterprise.

Schedule a call with ACA Aponix to discuss your concerns and how we can help you.

Contact Us