Skip to Main Content
  • Professionals
  • Practices
  • Industries
  • Experience
  • News & Events





Quick Results
View More Results
Search
  • Home
  • U.S. Consumer Data Privacy Law Guide: Virginia
U.S. Consumer Data Privacy Law Guide: Virginia

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in Virginia.

Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Virginia Consumer Data Protection Act (VCDPA)

Effective Date: January 1, 2023; amended in May 2024 with additional consent requirements for processing children's personal data.

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the VCDPA applies to any individual or legal entity doing business in Virginia or producing products or services targeted to residents of Virginia (consumer) that, during a calendar year, controlled or processed either:

  • 100,000+ Virginia consumers' personal data being processed; or
  • 25,000+ Virginia consumers' personal data being processed and derived more than 50 percent of its revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Narrowly defined as "the exchange of personal data for monetary consideration by the controller to a third party" subject to a few exemptions. Whereas the "sales of personal data" under California laws occur when the data exchange is for monetary or other valuable consideration."

3. Heightened Protection for Children under the Age of 13:

In May 2024, the VCDPA was amended to impose additional requirements on Controllers that process personal data of a known "child." The VCDPA amendment is set to take effect on January 1, 2025. Without consent from a parent or legal guardian, a controller is prohibited from processing personal data collected from a child under the age of 13 for:

  • targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similar significant effects;
  • unless such processing is reasonably necessary to provide an online service, product, or feature and only for the duration as required for that specific purpose; or
  • other purposes that the Controller didn't disclose at the time of collection or is not compatible with the disclosed processing purposes.

4. Business Obligations:

The VCDPA imposes additional obligations on individuals or legal entities that determine the purpose and means of processing personal information (Controller):

  • Data Processing Agreement (DPA): Processing activities by a supplier (known as Processor) shall be governed by a DPA between the Controller and Processor.
  • Privacy Policy: The Controller must provide consumers with a privacy policy, including a list of required information.
  • Data Protection Assessment: Controllers must conduct and document a data protection impact assessment for certain processing activities that present a higher risk of harm to consumers.

Effective January 1, 2025, for a Controller offering online services, products, or features (excluding telecommunication services), it must also conduct additional data protection assessment to address the potential use of its online offerings by children under the age of 13.

5. Consumer Rights:

Subject to certain exceptions, Virginia consumers can exercise the following consumer rights (or designate an authorized agent) to:

  • Confirm whether or not a Controller is processing its personal data, and access such personal data;
  • Correct inaccuracies in their personal data;
  • Delete personal data provided by, or obtained about, the consumer;
  • Obtain a copy of the personal data that the consumer previously provided to the Controller in a portable and readily usable format; and
  • Opt-out of data processing for targeted advertising, sales of personal data, and profiling for solely automated decisions producing legal or similarly significant effects.

6. Enforcement and Penalties:

Private Right of Action: None.

Penalties: $7,500 per violation.

Cure Period: A 60-day cure period. Unlike some states, this is a permanent cure period that does not have a cutoff date.

U.S. Consumer Data Privacy Law Guides

Key Contact

 
Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS
T: 678.406.8722
  Email Professional

Related Practices

Resources

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Search By Last Name

ABCDEFGHIJKLMNOPQRSTUVWXYZ
The Howard Baker Forum The Daschle Group
Instagram LinkedIn
Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 24 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.
©2025 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept