The Virginia Consumer Data Protection Act was signed into law on March 2, 2021. It subsequently came into effect on January 1, 2023.

The Virginia Attorney General is responsible for policing this Act and any necessary prosecutions. Businesses could face fines of up to $7,500 per violation under this law.

Who Does it Affect

Entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents that either:

  • Control or process the personal data of at least 100,000 consumers during a calendar year
  • Or, control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.


  1. A body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision
  2. Any financial institution or data subject to the Gramm-Leach-Bliley Act
  3. A covered entity or business subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act
  4. A nonprofit organization
  5. An institution of higher education
  6. Other dataset exemptions

Consumer Rights

The right to confirm whether or not a controller is processing their personal data and to access that data.

Inaccuracies in their personal data, considering the nature of the data and the purposes of the processing of their data.

Personal data provided by or obtained about them.

The right to obtain a copy of their personal data that they previously provided to the controller in a portable and to the extent that is technically feasible, readily used format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

Of the processing of personal data for the purposes of: targeted advertising; the sale of personal data; or, profiling in advancing decisions that produce legal or similarly significant effects concerning the consumer.

A business’ denial to act within a reasonable time.
Businesses must respond within 45 days of receipt of the request. A business may then extend the deadline by an additional 45 days but they must notify the consumer within the original response window. If they fail to do this a controller must establish a process for a consumer to appeal the controller’s refusal. If the appeal is denied, the controller must notify the consumer on how they can complain to the attorney general.


The Virginia attorney general is responsible for the enforcement of the Virginia Consumer Data Protection Act. Once notified a controller has 30 days to cure the violation and provide the attorney general with a written statement that the alleged violations are cured and no further violations will occur. Failure to cure the violation could result in a fine of up to $7,500 per violation.

Value Privacy are on hand to make sure your business is compliant with data and privacy regulations. Whether you need a privacy health check or you want help to make sure you and your business are ready for the arrival of the Colorado Privacy Act, we’re here to help. You can find out more about what we do or contact us and have a chat about your needs.