Virginia Privacy Law

Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.

The Virginia Consumer Data Protection Act (CDPA) has an implementation date of January 2023.

Obligations under the CDPA are placed on any entity that conducts business or markets goods or services to consumers in Virginia and:

Controls or processes defined “personal” data of at least 100,000 Virginia consumers; or


Controls or processes personal information of at least 25,000 Virginia residents and derives 50% or more of its gross revenue from the sale of personal data.

Initially, the regulations do not apply to entities working in the commercial or employment contexts. Further, certain entities are exempt from the obligations under the CDPA, including certain government agencies, institutions of higher learning, non-profits, financial institutions and any entity whose data is subject to Title V of Gramm-Leach-Biley or HIPAA.

The CDPA obliges all controllers of data to have a privacy notice detailing what they collect, why it is collected and processed, how a consumer can assert their legal rights described below, what categories of personal information are shared with third parties and who those third parties generally are. If personal data is sold, this must be clearly set forth in the privacy notice.

A covered entity must have reasonable data security and get a data protection assessment. There must also be written contracts with anyone who processes its customers’ personal data.

The covered entities must also get consent to process specific defined “sensitive” personal data.

A consumer has the right to confirm the processing of consumer data and must have the ability to access this data. The Virginia consumer also has the right to delete the data, to correct inaccurate data, and the right to obtain the data in an accessible format. Finally, a consumer may opt out of having their data processed for certain reasons including targeted advertising and the sale of the data.

A covered entity must establish at least one secure means for a consumer to exercise these rights and must respond to requests within 45 days. There also must be a formal appeal procedure for any failure to act on a consumer’s request.

Only the state Attorney General has enforcement power under the CDPA. The maximum penalty for a violation is $7,500 per occurrence. Covered entities have a 30-day cure period to fix any deficiencies brought to their attention by the Attorney General.

Have more Questions?