VCDPA
Virginia Consumer Data Protection Act
The VCDPA is Virginia's comprehensive consumer privacy law, effective 1 January 2023, giving residents rights over their personal data and imposing duties on businesses that control or process it. It treats biometric data processed to uniquely identify a person as sensitive data requiring opt-in consent. Enforcement rests solely with the Virginia Attorney General.
Who it applies to
Businesses that conduct business in Virginia or target its residents and control or process the personal data of at least 100,000 consumers, or at least 25,000 consumers while deriving over 50 percent of gross revenue from selling personal data.
Identity requirements
- Obtain a consumer's opt-in consent before processing sensitive data, which includes biometric data processed to uniquely identify a person
- Honor consumer rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale, and certain profiling
- Provide a clear and accessible privacy notice describing data categories, purposes, sharing, and how to exercise rights
- Conduct and document data protection assessments for higher-risk processing such as targeted advertising, sale of data, and certain profiling
- Limit data collection to what is adequate, relevant, and reasonably necessary, and apply reasonable data security practices
- Bind processors by contract and ensure they assist the controller with compliance
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Opt-in consent is required before processing biometric data used to identify a person, shaping consumer consent capture in identity systems. |
| Identity verification (KYC/proofing) | Biometric identity proofing of Virginia residents falls under sensitive-data consent and assessment requirements. |
| Identity governance (IGA) | Rights to access, correct, and delete personal data require governed processes for locating and managing consumer identity records. |
| Audit, logging & accountability | Controllers must conduct and retain data protection assessments for higher-risk processing to demonstrate accountability. |
Penalties
The Attorney General may seek civil penalties of up to 7,500 dollars per violation after a 30-day notice and cure period, plus expenses; there is no private right of action.
VCDPA: frequently asked questions
- Does the VCDPA give consumers a right to sue?
- No. The VCDPA has no private right of action. Enforcement rests exclusively with the Virginia Attorney General, who must provide a 30-day cure period.
- How does the VCDPA treat biometric data?
- Biometric data processed to uniquely identify a person is sensitive data, which a controller may not process without the consumer's opt-in consent.
- When did the VCDPA take effect?
- It became effective on 1 January 2023, making Virginia the second US state with a comprehensive consumer data privacy law.