
The Virginia Consumer Data Protection Act (VCDPA)
This means that if you collect data for a mailing list or for shipping, just to name a few, then this means you.
This law also gives the consumer the right to obtain a copy of data the consumer has previously provided, in a readable and usable format “to the extent technically feasible”.
This law will allow consumers to opt out of targeted advertising and the sale of their personal data. The business must also respond to requests within 45 days of notice.
The good news is that the new law has a few limitations that may help you as a business owner. The law only applies to Virginians’ personal data “in an individual or household context.” What counts as personal data is also limited under the new law. This means that information lawfully made available through government records is exempted, and “that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.”
Consumers also have no right to protect data that they post publicly on Social Media sites like Facebook.
FAQs
The Virginia Consumer Data Protection Act (VCDPA) is a state privacy law signed on March 2, 2021, that took effect January 1, 2023. It gives Virginia residents specific rights over their personal data — including the right to access it, correct it, delete it, and opt out of it being sold or used for targeted advertising. Businesses that collect personal data from Virginia consumers may be required to honor these rights upon request.
Not every business is covered. The VCDPA applies to businesses that control or process personal data of at least 100,000 Virginia consumers per year, or at least 25,000 consumers if the business derives more than 50% of its gross revenue from selling personal data. Many small businesses fall below these thresholds, but if you run an e-commerce site, collect email lists, or process customer data at scale, it's worth reviewing your obligations with a qualified attorney.
Virginia consumers have the right to know what personal data a business has collected about them, to correct inaccurate data, to request deletion of their data, to obtain a portable copy of data they have provided, and to opt out of the sale of their data and targeted advertising. Businesses must respond to these requests within 45 days, with a possible 45-day extension in complex cases.
The law has several important exemptions. It does not apply to data used in an employment or commercial context — only personal data collected in an individual or household context. Information already publicly available through government records is also excluded, as is data that consumers have made publicly available through widely distributed media such as social media posts.
Start by reviewing what personal data your website collects — through contact forms, mailing list sign-ups, e-commerce checkout, or tracking tools. Make sure your privacy policy clearly discloses what data you collect and how it is used. If your business meets the VCDPA thresholds, you will also need a mechanism for consumers to submit data access and deletion requests. Simply Web Services can help review your website's data collection practices and point you toward the right next steps.
Not sure if your website is collecting data in compliance with Virginia law?
From privacy policies to data collection forms, Simply Web Services can help ensure your website meets current legal requirements.