The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive consumer privacy law that took effect on January 1, 2023. It grants Virginia residents rights over their personal data — including the right to access, delete, correct, and opt out of certain uses of their data — and imposes obligations on businesses that collect or process that data.

VCDPA Compliance — Virginia Consumer Data Protection Act

Q: What rights do Virginia consumers have under VCDPA?

Virginia consumers have five rights under VCDPA: (1) Right to access — confirm whether you are processing their data and obtain a copy; (2) Right to correct — correct inaccuracies in their personal data; (3) Right to delete — request deletion of personal data you hold about them; (4) Right to data portability — receive their data in a portable, readily usable format; (5) Right to opt out — opt out of the processing of their data for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects.

Q: Does VCDPA require a cookie consent banner?

VCDPA does not require opt-in consent for general data processing in the way GDPR does. However, it requires a clear and accessible opt-out mechanism for three specific activities: targeted advertising, sale of personal data, and profiling for consequential decisions. If your website uses advertising pixels, retargeting tools, or behavioural analytics, you must provide a conspicuous opt-out link. VCDPA also requires businesses to honour opt-out signals from Universal Opt-Out Mechanisms (UOOMs) such as the Global Privacy Control (GPC) browser signal — effective January 1, 2025.

What Is the VCDPA?

The Virginia Consumer Data Protection Act is Virginia's comprehensive consumer data privacy law, signed by Governor Ralph Northam in March 2021 and effective January 1, 2023. Virginia was the second US state — after California — to pass a broad privacy law, and its structure borrows heavily from the GDPR's controller/processor framework rather than California's service-provider model.

Unlike California's CCPA, the VCDPA does not give individual consumers a private right of action. Enforcement rests solely with the Virginia Attorney General, who must first issue a 30-day written notice to cure before imposing penalties. In practice, this makes the VCDPA somewhat less immediately litigious than CCPA — but the compliance obligations for covered businesses are substantively similar and actively monitored.

💡

VCDPA uses GDPR terminology. The law distinguishes between controllers (entities that determine the purposes and means of processing — typically you, the website owner) and processors (entities that process data on behalf of a controller — typically your SaaS vendors). This mirrors the GDPR framework and means that if you already have GDPR-compliant data processing agreements in place, much of the vendor contract work carries over.

Who Does VCDPA Apply To?

VCDPA applies to for-profit entities that conduct business in Virginia or produce products or services targeted to Virginia residents, and that meet at least one of the following thresholds during a calendar year:

👥

100,000+

Virginia consumers whose personal data you control or process per year

Includes website visitors tracked by analytics or ad pixels

💰

25,000+

Virginia consumers processed, and more than 50% of revenue from data sales

Lower volume threshold for businesses monetising personal data

There is no revenue threshold in VCDPA — unlike CCPA's $25 million gross revenue trigger. This means a small business with high web traffic could be covered even with modest revenues. The 100,000 consumer count includes website visitors whose data is processed by third-party analytics or advertising tools, not just paying customers.

⚠️

Employee and B2B data is exempt — but consumer data is not. VCDPA explicitly excludes data processed in an employment or contractor context, and data exchanged in a commercial B2B context. However, any data collected from Virginia residents visiting your website as consumers — browsing, clicking, purchasing — is fully in scope.

Non-profit organisations, state bodies, and certain regulated industries (financial institutions covered by GLBA, healthcare entities covered by HIPAA) have partial or full exemptions. If your entity falls into one of these categories, review the specific exemption language carefully — most exemptions apply to the regulated data category, not the organisation as a whole.

The Five Consumer Rights Under VCDPA

Virginia consumers have five statutory rights under the VCDPA. Covered businesses must have a documented process to handle each one within 45 days of receiving a verifiable request (extendable by a further 45 days with notice).

Right 1

Right to Access

Consumers can confirm whether you are processing their personal data and, if so, obtain a copy of the specific data you hold. You may not charge a fee for the first request in any 12-month period.

Right 2

Right to Correct

Consumers can request correction of inaccuracies in their personal data, taking into account the nature of the data and the purposes of processing. You must consider corrections in good faith.

Right 3

Right to Delete

Consumers can request deletion of personal data you have collected about them — including data obtained from third parties. Exceptions apply for legal obligations, fraud prevention, and research purposes.

Right 4

Right to Data Portability

Consumers can receive a copy of their data in a portable, readily usable format that allows them to transmit it to another controller. Required when processing is carried out by automated means.

Right 5

Right to Opt Out

Consumers can opt out of the processing of their personal data for three specific purposes: targeted advertising, sale of personal data, and profiling that produces legal or similarly significant decisions. Effective January 2025, businesses must also honour Universal Opt-Out Mechanism (UOOM) signals such as the Global Privacy Control (GPC).

What VCDPA Requires from Your Website

For most website owners, VCDPA creates four categories of practical obligation that intersect directly with how your site collects and shares visitor data.

1. Privacy Notice

Your privacy policy must clearly disclose: the categories of personal data you collect; the purposes for processing; how consumers can exercise their rights; the categories of personal data you share with third parties; and the categories of third parties with whom you share. The notice must be reasonably accessible and clear.

2. Opt-Out Mechanism for Targeted Advertising and Data Sales

If you use advertising pixels (Meta Pixel, Google Ads, TikTok Pixel), retargeting tools, or share behavioural data with ad networks, you are engaged in "targeted advertising" or "sale of personal data" under VCDPA. You must provide a clear, conspicuous opt-out mechanism — and from January 1, 2025, you must automatically honour the Global Privacy Control (GPC) browser signal as a valid opt-out without requiring the consumer to manually interact with a banner.

🚫

GPC signal honouring is now mandatory in Virginia. Virginia's amendment requiring businesses to recognise Universal Opt-Out Mechanisms took effect January 1, 2025. If a Virginia consumer visits your site with GPC enabled and your consent platform does not detect and honour that signal, you are in violation — even if you have a fully functional opt-out banner.

3. Data Protection Assessments

VCDPA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk — including targeted advertising, sale of personal data, processing sensitive data, and profiling for consequential decisions. These assessments must weigh the benefits of the processing against the risks to consumers. They do not need to be submitted to any authority but must be produced upon request during an investigation.

4. Data Processing Agreements with Processors

Every vendor that processes personal data on your behalf — your analytics platform, email service, CRM, support tool, payment processor — is a "processor" under VCDPA. You must have a binding contract with each processor that: specifies processing instructions; requires confidentiality; mandates deletion or return of data at contract termination; and obliges the processor to assist with your consumer rights obligations. Most major SaaS vendors provide VCDPA-ready DPAs on request.

See every tracker your site shares with Virginia ad networks

ConsentPixel — Privacy · Verified scans your site and maps every data-sharing relationship that triggers VCDPA opt-out obligations. Free, instant, no account needed.

Run Free Site Scan →

If you are already managing CCPA or GDPR compliance, here is how VCDPA compares across the dimensions that matter most operationally:

Feature	VCDPA (Virginia)	CCPA/CPRA (California)	GDPR (EU)
Effective date	Jan 1, 2023	Jan 1, 2020 / Jan 1, 2023	May 25, 2018
Revenue threshold	None	$25M gross revenue	None
Consumer volume threshold	100K consumers/year	100K consumers/year	None
Opt-in consent for tracking?	No — opt-out model	No — opt-out model	Yes — opt-in required
GPC signal honouring	Required (Jan 2025)	Required	Recommended (no mandate)
Private right of action	No	Limited (data breaches)	Yes
Data protection assessments	Required (high-risk)	Not required	Required (DPIAs)
Controller / processor framework	Yes (GDPR-style)	No (business/service-provider)	Yes
Cure period before enforcement	30 days (written notice)	None (CPRA removed it)	None
Max civil penalty	$7,500 per violation	$7,500 per intentional violation	€20M or 4% global revenue

How ConsentPixel — Privacy · Verified Handles VCDPA

ConsentPixel — Privacy · Verified is purpose-built to cover the full US state privacy law landscape — not just GDPR. A single pixel installation on your website handles every VCDPA technical obligation automatically.

🚫

Script blocking by consent state

All advertising and analytics scripts are blocked at page load. They fire only after the visitor's opt-out status is established — ensuring no Virginia consumer data reaches ad networks before they have had the opportunity to opt out.

📡

GPC signal detection

ConsentPixel automatically reads the Global Privacy Control browser signal on every page load. When detected for a Virginia visitor, targeted advertising and data sale scripts are suppressed immediately — no manual opt-out click required.

🗂️

Consent and opt-out logging

Every consent decision and opt-out event is timestamped and stored in your portal's audit log — with the version of notice shown, the consumer's choice, and whether the signal came from the banner or GPC. Ready for AG production requests.

🔍

Automatic tracker scanning

ConsentPixel scans your site continuously for new third-party scripts and categorises them by risk level. When a new advertising pixel or analytics tag is detected, you are alerted so your data inventory stays current without manual audits.

📋

Cookie declaration and privacy policy

The ConsentPixel portal generates a living cookie declaration listing every tracker on your site, auto-updated when the scanner detects changes. Embed it directly in your privacy notice to meet VCDPA's disclosure requirements.

📬

DSAR intake portal

A branded, embeddable data subject request form handles the five VCDPA consumer rights. Requests are routed to your portal inbox with deadline tracking, identity-verification prompts, and a response log — so nothing falls through the cracks.

VCDPA Compliance Checklist

Use this checklist to assess your current VCDPA posture. Click each item to mark it complete.

📋 VCDPA Website Compliance Checklist 10 items

Confirm VCDPA thresholds apply to your business 100K+ Virginia consumer records/year, or 25K+ records with 50%+ revenue from data sale

Update your privacy notice with VCDPA-required disclosures Data categories collected, processing purposes, third-party sharing, and how to submit rights requests

Add a clear opt-out mechanism for targeted advertising and data sale Prominently placed link or banner — must be functional, not cosmetic

Implement Global Privacy Control (GPC) signal recognition Mandatory in Virginia as of January 1, 2025 — your CMP must detect and honour GPC automatically

Set up a consumer rights request process Intake channel + 45-day response window + identity verification + request log

Conduct data protection assessments for high-risk processing Required for targeted advertising, data sale, sensitive data, and consequential profiling

Review and update processor contracts All data processors must have VCDPA-compliant DPAs specifying instructions, confidentiality, and deletion terms

Build a data inventory mapping all personal data flows What data is collected, from where, stored where, shared with whom, and for how long

Ensure no ad or analytics scripts fire before opt-out status is established Technical script blocking — not just a notice overlay — is required for genuine compliance

Maintain consent and opt-out logs for audit purposes Timestamped records of every consumer choice, including GPC-triggered opt-outs

Frequently Asked Questions

What is the VCDPA?

The Virginia Consumer Data Protection Act is Virginia's comprehensive consumer privacy law, effective January 1, 2023. It grants Virginia residents rights over their personal data — access, correction, deletion, portability, and opt-out — and imposes obligations on businesses that control or process that data. Enforcement is handled exclusively by the Virginia Attorney General.

Does VCDPA apply to my business?

VCDPA applies to for-profit entities conducting business in Virginia or targeting Virginia residents that meet at least one threshold: controlling or processing personal data of 100,000 or more Virginia consumers per year, or processing data of 25,000 or more Virginia consumers and deriving more than 50% of gross revenue from selling personal data. There is no revenue threshold — the triggers are volume-based, meaning a high-traffic website with modest revenue can still be covered.

What rights do Virginia consumers have under VCDPA?

Virginia consumers have five rights: right to access (confirm and obtain a copy of data held about them); right to correct (fix inaccuracies); right to delete (request erasure); right to data portability (receive data in a usable format); and right to opt out of processing for targeted advertising, sale of personal data, or consequential profiling. Businesses must respond to verifiable requests within 45 days, extendable by a further 45 days with notice.

What is the penalty for VCDPA non-compliance?

The Virginia Attorney General has exclusive enforcement authority. Before taking action, the AG must provide 30 days' written notice to cure. If uncured, civil penalties of up to $7,500 per violation can be imposed. There is no private right of action — individual consumers cannot sue businesses directly under VCDPA, unlike under CCPA/CPRA's limited breach lawsuit provision.

Does VCDPA require a cookie consent banner?

VCDPA does not require opt-in consent in the way GDPR does. However, it requires a clear opt-out mechanism for targeted advertising, data sale, and consequential profiling — and from January 2025, businesses must automatically honour the Global Privacy Control (GPC) browser signal as a valid opt-out. A consent management platform that detects GPC and blocks advertising scripts accordingly satisfies both requirements efficiently.

How is VCDPA different from CCPA?

Key differences: VCDPA has no revenue threshold (CCPA triggers at $25M); VCDPA has no private right of action (CCPA allows limited breach lawsuits); VCDPA uses GDPR-style controller/processor terminology; VCDPA requires data protection assessments for high-risk activities; and VCDPA retains a 30-day cure period before enforcement (CCPA's was removed by CPRA). Both laws require opt-out of targeted advertising and honouring the GPC signal.

VCDPA Compliance — Automated

Stop worrying about Virginia privacy law.
Start with one pixel.

ConsentPixel — Privacy · Verified installs in minutes, automatically detects every tracker sharing Virginia consumer data, blocks scripts by opt-out status, honours GPC signals, and logs every consent event for your audit trail.

Start Free 14-Day Trial Scan My Site First →