March 2, 2021

Virginia Governor Signs Nation's Second Comprehensive Consumer Data Privacy Law

Today, March 2, 2021, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act ("VCDPA"). By enacting the VCDPA, Virginia becomes the second state nationwide to implement a comprehensive consumer data privacy law, after California with the California Consumer Privacy Act ("CCPA"). While the VCDPA is similar to the CCPA in many respects, the law has a different scope and different obligations than the CCPA. Accordingly, impacted businesses must conduct a separate scope analysis, and, if subject to the VCDPA, they will need to set up different business rules to comply with the law.

The VCDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either (i) control or process personal data of at least 100,000 consumers during a calendar year, or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. The VCDPA applies to information that is linked or reasonably linkable to an identified or identifiable person acting in an individual or household context. The law also provides special protections for sensitive data, which includes personal data including certain demographic, biometric, or location information, along with information on a known child.

However, the VCDPA does not apply to, among other things:

  • financial institutions or data subject to the federal Gramm-Leach-Bliley Act;
  • certain activities regulated by the Fair Credit Reporting Act;
  • information on persons acting in a commercial or employment context;
  • deidentified data; or
  • publicly available information.

Consumer Rights

The VCDPA provides consumers with a number of rights related to their personal data, several of which are similar to rights available under the CCPA. Under the VCDPA, consumers have the right:

  • to confirm whether or not a controller (the person that determines the purpose and means of processing personal data) is processing personal data;
  • to access their personal data;
  • to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for processing the personal data;
  • to delete personal data provided by or obtained about them;
  • to obtain a portable copy of personal data that they previously provided to the controller; and
  • to opt out of the processing of personal data for (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controller Obligations

The VCDPA imposes different obligations depending on whether the business is a controller or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is acting as a controller or a processor when engaging in any personal data processing.

Under the VCDPA, controllers must, among other things:

  • limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such personal data is processed, as disclosed to the consumer;
  • not process personal data for purposes that are not reasonably necessary or compatible with disclosed purposes, unless the controller obtains consumer consent;
  • establish, implement, and maintain data security practices;
  • not process personal data in violation of discrimination laws;
  • not process sensitive personal data without consent; and
  • clearly and conspicuously disclose if it sells personal data to third parties or processes personal data for targeted advertising and disclose the manner in which a consumer can exercise his or her opt-out rights.

Controllers must provide consumers with a privacy notice that includes certain information about personal data processed by the controller.

The VCDPA also requires controllers to conduct and document data protection assessments when engaging in the following activities:

  • the processing of personal data for purposes of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers;
  • the processing of sensitive data; and
  • any processing activities involving personal data that present a heightened risk of harm to consumers.

Processor Obligations

A processor must follow a controller's instructions and must assist the controller in:

  • responding to consumer rights;
  • meeting breach notification obligations; and
  • providing information to enable the controller to conduct and document data protection assessments.

There are also requirements for contracts between controllers and processors.


The Virginia attorney general has exclusive authority to enforce the VCDPA. The attorney general may seek civil penalties of up to $7,500 for each violation of the VCDPA, in addition to injunctive relief.

The VCDPA does not contain a private right of action.

Effective Date

The VCDPA will become effective on January 1, 2023.


Copyright ┬ę 2021 LLC. All rights reserved. Reprinted with express permission from

Hudson Cook, LLP, provides articles, webinars and other content on its website from time to time provided both by attorneys with Hudson Cook, LLP, and by other outside authors, for information purposes only. Hudson Cook, LLP, does not warrant the accuracy or completeness of the content, and has no duty to correct or update information contained on its website. The views and opinions contained in the content provided on the Hudson Cook, LLP, website do not constitute the views and opinion of the firm. Such content does not constitute legal advice from such authors or from Hudson Cook, LLP. For legal advice on a matter, one should seek the advice of counsel.