Virginia Consumer Data Protection Act
Fast track (Summarised definition)
The Virginia Consumer Data Protection Act is comprehensive privacy legislation enacted in 2021, effective from January 2023. Grants consumers rights over personal data including access, correction, deletion, and portability. Applies to businesses processing personal data of Virginia residents. Requires privacy notices, data protection assessments, and opt-out mechanisms for targeted advertising.
Full lap (Full definition)
The Virginia Consumer Data Protection Act is comprehensive privacy legislation enacted by the Commonwealth of Virginia in 2021, taking effect on January 1, 2023. As one of the early state-level privacy laws in the United States, the VCDPA establishes fundamental rights for consumers regarding their personal data while imposing specific obligations on businesses that collect, process, or sell personal information of Virginia residents.
The Act applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents, and either control or process personal data of at least 100,000 consumers during a calendar year, or derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. These thresholds ensure the law focuses on larger data processors while providing exemptions for smaller businesses.
Consumer rights under the VCDPA include the right to access personal data, correct inaccuracies, delete personal data, obtain copies of personal data in a portable format, and opt out of targeted advertising, sale of personal data, or profiling for decisions that produce legal or significant effects. Consumers can exercise these rights through authenticated requests to businesses, which must respond within 45 days.
Business obligations include providing clear privacy notices that explain data collection practices, purposes, consumer rights, and contact information for privacy inquiries. Companies must implement reasonable security measures, conduct data protection assessments for high-risk processing activities, and establish processes for handling consumer requests efficiently.
The VCDPA includes enforcement mechanisms through the Virginia Attorney General's office, which can investigate violations and impose civil penalties up to $7,500 per violation. The law provides a 30-day cure period for first-time violations, allowing businesses to address compliance issues before facing penalties.
Marketing implications include requirements for transparent data collection practices, opt-out mechanisms for targeted advertising, and careful handling of consumer data throughout marketing campaigns and customer relationship management systems.