Skip to content
GDPR by Law

United States · updated 2026-06-15

Virginia (USA)

Not required

Virginia wrote the template most other US states copied: opt-out rights, opt-in for sensitive data, mandatory data protection assessments, and a 30-day cure period. Comply here and you're close to compliant in a dozen states.

Law:
VCDPA (Virginia Consumer Data Protection Act)
Regulator:
Virginia Attorney General

Cookie consent

No banner mandate

Breach deadline

Without unreasonable delay

DPA with vendors

Required

Max fine

$7,500 per violation after an uncured 30-day cure period

What Virginia (USA) requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Applicability check

    §59.1-576

    Applies to businesses controlling data of 100,000+ Virginia consumers a year, or 25,000+ if over half of revenue comes from selling data. No revenue-only threshold — small data-light businesses are exempt.

    How to implement Note the carve-outs: B2B contact data and employee data are excluded entirely (unlike California), as are HIPAA and GLBA-covered entities.

    Conditional
  2. Privacy notice

    §59.1-578

    Clear notice of categories collected, purposes, sharing, and how to exercise rights, including how to appeal a refusal.

    How to implement Your GDPR/CCPA policy covers most of this — add the Virginia-specific appeal process description, which most companies miss.

    Required
  3. Opt-out mechanisms

    §59.1-577(A)(5)

    Opt-outs for targeted advertising, sale of personal data, and profiling with legal or similarly significant effects.

    How to implement A preference center or footer link works. GPC support isn't required in Virginia but implementing it anyway covers California and Colorado simultaneously.

    Conditional
  4. Opt-in consent for sensitive data

    §59.1-578(A)(5)

    Unlike California's 'limit use' model, Virginia requires affirmative opt-in consent before processing sensitive data: race, religion, health, sexual orientation, citizenship, genetics, biometrics, precise geolocation, children's data.

    How to implement If you collect precise location or health-adjacent data, add a consent prompt before collection — this is the sharpest GDPR-like edge in the law.

    Required
  5. Data protection assessments

    §59.1-580

    Documented assessments weighing benefits and risks for targeted advertising, sale, sensitive data, and significant profiling — producible to the AG on demand.

    How to implement A lightweight DPIA template works. Do one per qualifying activity and store them with dates; they're discoverable in an AG investigation.

    Conditional
  6. Processor contracts

    §59.1-579

    Binding contracts with processors covering confidentiality, deletion or return of data, audit rights, and subcontractor obligations.

    How to implement Your GDPR DPAs already satisfy the substance — confirm each vendor's addendum names US state laws, not just GDPR.

    Required

The details

Cookie consent
No opt-in banner. Consumers may opt out of targeted advertising, sale, and significant profiling. Unlike California, honoring universal opt-out signals like GPC is not required under VCDPA.
Data Protection Officer
No DPO requirement — but documented data protection assessments are mandatory for targeted advertising, sale, sensitive data, and profiling with significant effects.
Processing agreements
§59.1-579 requires binding contracts with processors covering confidentiality, deletion, audits, and subcontractor flow-down — a GDPR-style DPA satisfies the substance.
Breach notification
Virginia's breach statute (§18.2-186.6) requires notifying affected residents and the AG without unreasonable delay when 1,000+ residents are affected.
Enforcement in practice
No headline VCDPA fines yet — the AG must first offer a 30-day cure period, and most enforcement resolves quietly. The deterrent is per-violation stacking across affected consumers.

Data subject rights

What users can demand from you in Virginia (USA), and the engineering that satisfies each right.

Right to access

§59.1-577(A)(1)

Confirm processing and access personal data, with 45 days to respond (one 45-day extension).

Reuse your CCPA request workflow; verification requirements are similar.

Right to delete

§59.1-577(A)(3)

Deletion of personal data provided by or obtained about the consumer.

Broader on paper than California's (covers data 'obtained about' the consumer); apply your standard deletion pipeline with the usual legal-obligation exceptions.

Right to data portability

§59.1-577(A)(4)

Copy of data in a portable, readily usable format, up to twice annually.

Your existing JSON/CSV export satisfies this.

Right to correct

§59.1-577(A)(2)

Correction of inaccurate personal data.

Self-service edits plus a support workflow.

Right to opt out

§59.1-577(A)(5)

Opt out of targeted advertising, sale, and significant profiling.

Honor within 45 days; no universal-signal requirement, but a footer preference link is expected.

Right to appeal

§59.1-577(B)

Virginia's distinctive addition: consumers can appeal your refusal of a request, and you must answer the appeal within 60 days with written reasons — and tell them how to contact the AG.

Add an appeal path to your privacy request workflow (a second-level review inbox is enough). Most GDPR-first companies miss this entirely.

Tools that cover Virginia (USA)

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • privacy policy

    Termly

    Multi-state US policy generation including Virginia's appeal-process disclosures.

    Visit Termly →
  • compliance suite

    OneTrust

    Request-and-appeal workflows and data protection assessment templates mapped to VCDPA.

    Visit OneTrust →
  • cookie consent

    Osano

    US multi-state consent management with per-state opt-out configuration.

    Visit Osano →

Frequently asked questions

How is Virginia different from California?

Narrower scope (no revenue-only threshold, B2B and employee data excluded), no private right of action, no GPC requirement, a 30-day cure period — but stricter on sensitive data, which needs opt-in consent rather than California's 'limit use' link.

Which other states follow the Virginia model?

Colorado, Connecticut, Utah, and most of the dozen-plus states that followed copied Virginia's structure with variations. Colorado adds a universal opt-out signal requirement; Utah is lighter. Build to Virginia + California and the rest is mostly configuration.

What is the right to appeal and do I really need it?

If you refuse a consumer request, Virginia requires an appeal channel with a written answer within 60 days including how to complain to the AG. It's unique among privacy laws and an easy compliance win: a dedicated appeals inbox and a template response cover it.

Does GDPR compliance cover me for Virginia?

Substantively about 80%. The gaps: the appeal process, US-style privacy-notice categories, data protection assessments in Virginia's format, and opt-out links for targeted advertising. Timers also differ — 45 days, not 30.

Similar jurisdictions

Free download

Get GDPR updates for Virginia (USA)

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.