United States · updated 2026-06-15
Virginia (USA)
Virginia wrote the template most other US states copied: opt-out rights, opt-in for sensitive data, mandatory data protection assessments, and a 30-day cure period. Comply here and you're close to compliant in a dozen states.
- Law:
- VCDPA (Virginia Consumer Data Protection Act)
- Regulator:
- Virginia Attorney General
Cookie consent
No banner mandate
Breach deadline
Without unreasonable delay
DPA with vendors
Required
Max fine
$7,500 per violation after an uncured 30-day cure period
What Virginia (USA) requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Applicability check
§59.1-576Applies to businesses controlling data of 100,000+ Virginia consumers a year, or 25,000+ if over half of revenue comes from selling data. No revenue-only threshold — small data-light businesses are exempt.
How to implement Note the carve-outs: B2B contact data and employee data are excluded entirely (unlike California), as are HIPAA and GLBA-covered entities.
Conditional -
Privacy notice
§59.1-578Clear notice of categories collected, purposes, sharing, and how to exercise rights, including how to appeal a refusal.
How to implement Your GDPR/CCPA policy covers most of this — add the Virginia-specific appeal process description, which most companies miss.
Required -
Opt-out mechanisms
§59.1-577(A)(5)Opt-outs for targeted advertising, sale of personal data, and profiling with legal or similarly significant effects.
How to implement A preference center or footer link works. GPC support isn't required in Virginia but implementing it anyway covers California and Colorado simultaneously.
Conditional -
Opt-in consent for sensitive data
§59.1-578(A)(5)Unlike California's 'limit use' model, Virginia requires affirmative opt-in consent before processing sensitive data: race, religion, health, sexual orientation, citizenship, genetics, biometrics, precise geolocation, children's data.
How to implement If you collect precise location or health-adjacent data, add a consent prompt before collection — this is the sharpest GDPR-like edge in the law.
Required -
Data protection assessments
§59.1-580Documented assessments weighing benefits and risks for targeted advertising, sale, sensitive data, and significant profiling — producible to the AG on demand.
How to implement A lightweight DPIA template works. Do one per qualifying activity and store them with dates; they're discoverable in an AG investigation.
Conditional -
Processor contracts
§59.1-579Binding contracts with processors covering confidentiality, deletion or return of data, audit rights, and subcontractor obligations.
How to implement Your GDPR DPAs already satisfy the substance — confirm each vendor's addendum names US state laws, not just GDPR.
Required
The details
- Cookie consent
- No opt-in banner. Consumers may opt out of targeted advertising, sale, and significant profiling. Unlike California, honoring universal opt-out signals like GPC is not required under VCDPA.
- Data Protection Officer
- No DPO requirement — but documented data protection assessments are mandatory for targeted advertising, sale, sensitive data, and profiling with significant effects.
- Processing agreements
- §59.1-579 requires binding contracts with processors covering confidentiality, deletion, audits, and subcontractor flow-down — a GDPR-style DPA satisfies the substance.
- Breach notification
- Virginia's breach statute (§18.2-186.6) requires notifying affected residents and the AG without unreasonable delay when 1,000+ residents are affected.
- Enforcement in practice
- No headline VCDPA fines yet — the AG must first offer a 30-day cure period, and most enforcement resolves quietly. The deterrent is per-violation stacking across affected consumers.
Data subject rights
What users can demand from you in Virginia (USA), and the engineering that satisfies each right.
Right to access
§59.1-577(A)(1)Confirm processing and access personal data, with 45 days to respond (one 45-day extension).
Reuse your CCPA request workflow; verification requirements are similar.
Right to delete
§59.1-577(A)(3)Deletion of personal data provided by or obtained about the consumer.
Broader on paper than California's (covers data 'obtained about' the consumer); apply your standard deletion pipeline with the usual legal-obligation exceptions.
Right to data portability
§59.1-577(A)(4)Copy of data in a portable, readily usable format, up to twice annually.
Your existing JSON/CSV export satisfies this.
Right to correct
§59.1-577(A)(2)Correction of inaccurate personal data.
Self-service edits plus a support workflow.
Right to opt out
§59.1-577(A)(5)Opt out of targeted advertising, sale, and significant profiling.
Honor within 45 days; no universal-signal requirement, but a footer preference link is expected.
Right to appeal
§59.1-577(B)Virginia's distinctive addition: consumers can appeal your refusal of a request, and you must answer the appeal within 60 days with written reasons — and tell them how to contact the AG.
Add an appeal path to your privacy request workflow (a second-level review inbox is enough). Most GDPR-first companies miss this entirely.
Tools that cover Virginia (USA)
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
privacy policy
Termly
Multi-state US policy generation including Virginia's appeal-process disclosures.
Visit Termly → -
compliance suite
OneTrust
Request-and-appeal workflows and data protection assessment templates mapped to VCDPA.
Visit OneTrust → -
cookie consent
Osano
US multi-state consent management with per-state opt-out configuration.
Visit Osano →
Frequently asked questions
How is Virginia different from California?
Narrower scope (no revenue-only threshold, B2B and employee data excluded), no private right of action, no GPC requirement, a 30-day cure period — but stricter on sensitive data, which needs opt-in consent rather than California's 'limit use' link.
Which other states follow the Virginia model?
Colorado, Connecticut, Utah, and most of the dozen-plus states that followed copied Virginia's structure with variations. Colorado adds a universal opt-out signal requirement; Utah is lighter. Build to Virginia + California and the rest is mostly configuration.
What is the right to appeal and do I really need it?
If you refuse a consumer request, Virginia requires an appeal channel with a written answer within 60 days including how to complain to the AG. It's unique among privacy laws and an easy compliance win: a dedicated appeals inbox and a template response cover it.
Does GDPR compliance cover me for Virginia?
Substantively about 80%. The gaps: the appeal process, US-style privacy-notice categories, data protection assessments in Virginia's format, and opt-out links for targeted advertising. Timers also differ — 45 days, not 30.
Similar jurisdictions
Free download
Get GDPR updates for Virginia (USA)
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.