# Virginia Consumer Privacy Law (VCDPA)[^about]

The Virginia Consumer Data Protection Act gives Virginia consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — the model for many state privacy laws, it is enforced exclusively by the Attorney General with a permanent 30-day cure period and provides no private right of action.

## Does the Virginia Consumer Data Protection Act apply to your business? {#does-vcdpa-apply}

**Short answer.** It turns on consumer volume, not revenue. The VCDPA applies to persons that do business in Virginia or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 consumers, or at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data [^stat-576-apply].

Virginia was the second state (after California) to enact a comprehensive privacy law, and its structure became the template much of the country copied — so this note reads much like Colorado, Connecticut, and Texas. Like those, it sets no dollar revenue floor; unlike Colorado, it exempts nonprofit organizations, along with state agencies and GLBA-, HIPAA-, and FCRA-regulated data. A consumer is a Virginia resident acting in an individual or household context, not an employee or business contact.

## What must your Virginia privacy policy contain? {#privacy-policy-contents}

**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties [^stat-578-notice].

For a template privacy policy, section 59.1-578 is the content checklist. Virginia also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and, where a controller sells personal data or processes it for targeted advertising, a clear disclosure of that and how to opt out. The notice the policy presents should match the data practices the controller actually carries out.

## What must your contracts with processors say? {#vendor-contracts}

**Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice [^stat-579-contract].

Section 59.1-579 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with assessments, and a requirement to bind subcontractors by written contract to the same obligations [^stat-579-terms]. A compliant template DPA tracks each of these.

## Do you need consent to process sensitive data? {#sensitive-data}

**Short answer.** Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act [^stat-578-consent]. Sensitive data includes data revealing race or ethnicity, religious beliefs, a health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data; data from a known child; and precise geolocation.

This is the opt-in model shared by California, Colorado, and Texas — the opposite of Utah's notice-and-opt-out approach. Virginia does not, however, require honoring a universal opt-out preference signal the way California, Colorado, and Connecticut do, so a Virginia-only program can rely on its own opt-out mechanisms — though a multi-state template generally has to support universal signals to stay compliant elsewhere.

## Can a consumer sue your business under the VCDPA? {#consumer-lawsuit}

**Short answer.** No. The Attorney General has exclusive authority to enforce the VCDPA, so there is no private right of action for consumers [^stat-584-enforce]. Before suing, the Attorney General must give 30 days' written notice of the specific alleged violations and a chance to cure [^stat-584-cure].

Unlike Colorado and Connecticut, Virginia's 30-day cure period has not sunset — it remains a permanent, built-in off-ramp. A controller that cures within the window and certifies it in writing avoids the action; an uncured violation exposes it to civil penalties of up to $7,500 per violation. The practical posture is still to build the notice, consent, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue.



[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-04. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Virginia. This article synthesizes Virginia primary law and is not legal advice from a Virginia-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.

[^stat-576-apply]: **Va. Code § 59.1-576** — "This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data." *Va. Code § 59.1-576(A).* <https://law.lis.virginia.gov/vacode/59.1-576/>

[^stat-578-notice]: **Va. Code § 59.1-578** — "reasonably accessible, clear, and meaningful privacy notice that includes: 1. The categories of personal data processed by the controller; 2. The purpose for processing personal data; 3. How consumers may exercise their consumer rights pursuant § 59.1-577, including how a consumer may appeal a controller's decision with regard to the consumer's request; 4. The categories of personal data that the controller shares with third parties, if any; and 5. The categories of third parties, if any, with whom the controller shares personal data." *Va. Code § 59.1-578(C).* <https://law.lis.virginia.gov/vacode/59.1-578/>

[^stat-579-contract]: **Va. Code § 59.1-579** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller." *Va. Code § 59.1-579(B).* <https://law.lis.virginia.gov/vacode/59.1-579/>

[^stat-579-terms]: **Va. Code § 59.1-579** — "The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: 1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; 2. At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; 3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter; 4. Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request; and 5. Engage any subcontractor pursuant to a written contract in accordance with subsection C that requires the subcontractor to meet the obligations of the processor with respect to the personal data." *Va. Code § 59.1-579(B).* <https://law.lis.virginia.gov/vacode/59.1-579/>

[^stat-578-consent]: **Va. Code § 59.1-578** — "process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act" *Va. Code § 59.1-578(A)(5).* <https://law.lis.virginia.gov/vacode/59.1-578/>

[^stat-584-enforce]: **Va. Code § 59.1-584** — "The Attorney General shall have exclusive authority to enforce the provisions of this chapter." *Va. Code § 59.1-584(A).* <https://law.lis.virginia.gov/vacode/59.1-584/>

[^stat-584-cure]: **Va. Code § 59.1-584** — "30 days' written notice identifying the specific provisions of this chapter the Attorney General alleges have been or are being violated." *Va. Code § 59.1-584(B).* <https://law.lis.virginia.gov/vacode/59.1-584/>