Does the Virginia Consumer Data Protection Act Apply to My Business?

The information in this article is for general informational purposes only and does not constitute legal advice. Laws change and individual circumstances vary. Consult a licensed Virginia attorney about your specific situation. Reading this article does not create an attorney-client relationship nor does merely contacting our office through this website or any other means.

---

The Virginia Consumer Data Protection Act (VCDPA), codified at Va. Code § 59.1-571 et seq., took effect on January 1, 2023, making Virginia the second state in the nation to enact a comprehensive consumer privacy law. Since then, several other states have followed, but Virginia’s law remains a significant compliance obligation for businesses operating here in the New River Valley and across the Commonwealth.

Whether you run a software company near Virginia Tech in Blacksburg, a healthcare-adjacent practice in Christiansburg, or a regional retailer serving Montgomery County and beyond, the question of whether the VCDPA applies to your business is worth taking seriously.

Who Must Comply: The Coverage Thresholds

Not every business in Virginia is subject to the VCDPA. The law applies to entities that conduct business in Virginia or produce products or services targeted to Virginia residents and meet at least one of the following thresholds during a calendar year:

• Control or process the personal data of 100,000 or more Virginia consumers, or
• Control or process the personal data of 25,000 or more Virginia consumers and derive more than 50% of gross revenue from the sale of personal data

The term “consumer” under the VCDPA refers to a Virginia resident acting in an individual or household context. It does not include individuals acting in a commercial or employment context, which is a meaningful carve-out for business-to-business operations.

For many small businesses in Christiansburg, Radford, or Pulaski, these thresholds may place them outside the law’s direct requirements. However, businesses that aggregate data across platforms, use third-party advertising networks, or operate apps with significant user bases may cross the 100,000-consumer threshold more easily than they expect.

Controllers vs. Processors: Understanding Your Role

The VCDPA draws a distinction between controllers and processors that mirrors the framework used in Europe’s General Data Protection Regulation.

A controller is an entity that determines the purposes and means of processing personal data. If your business decides what customer data to collect and why, you are almost certainly a controller.

A processor is an entity that processes personal data on behalf of a controller. Cloud service providers, payroll processors, and marketing platforms often act as processors. The VCDPA requires that controllers and processors formalize their relationship through a data processing agreement that addresses, among other things, the nature of the processing, the types of data involved, and each party’s obligations regarding security and breach notification.

If your business uses SaaS tools, payment processors, or any vendor that handles customer data on your behalf, you should review whether appropriate agreements are in place.

What Personal Data Is Covered

The VCDPA defines personal data broadly as any information that is linked or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data or publicly available information.

The law creates a heightened category called sensitive data, which includes:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, or citizenship or immigration status
• Genetic or biometric data processed for the purpose of uniquely identifying a natural person
• Personal data collected from a known child
• Precise geolocation data

Processing sensitive data requires obtaining the consumer’s opt-in consent, a more demanding standard than applies to non-sensitive personal data.

Consumer Rights Under the VCDPA

Virginia consumers covered by the law have specific rights they can exercise against controllers. These rights include:

• Right to access: Consumers can confirm whether a controller is processing their personal data and request a copy of that data.
• Right to correction: Consumers can request correction of inaccuracies in their personal data.
• Right to deletion: Consumers can request that a controller delete their personal data, subject to certain exceptions.
• Right to data portability: Consumers can obtain their personal data in a portable format.
• Right to opt out of: (1) the sale of personal data, (2) targeted advertising, and (3) profiling that produces legal or similarly significant effects.

Controllers must respond to authenticated consumer requests within 45 days, with a possible 45-day extension if the controller notifies the consumer of the delay and the reason for it. Businesses must establish a process for receiving and responding to these requests before an inquiry arrives.

Data Protection Assessments

The VCDPA requires controllers to conduct data protection assessments for certain categories of processing activities, including:

• Processing personal data for targeted advertising
• Selling personal data
• Processing sensitive data
• Processing personal data for profiling with legal or similarly significant effects
• Any processing that presents a heightened risk to consumers

These assessments must weigh the benefits of the processing activity against the risks to consumers and must be made available to the Attorney General on request. The obligation to conduct assessments applies to processing activities that occur after January 1, 2023.

Privacy Notice Requirements

Controllers must provide consumers with a clear and meaningful privacy notice that discloses:

• The categories of personal data processed
• The purposes for which the data is processed
• How consumers may exercise their rights
• The categories of personal data shared with third parties
• The categories of third parties with whom the data is shared

If the controller sells personal data or uses it for targeted advertising, the privacy notice must include a clear and conspicuous disclosure of that practice and instructions for opting out.

Many businesses that serve clients in the New River Valley and operate websites with analytics, advertising pixels, or third-party integrations may need to revisit the accuracy and completeness of their current privacy notices.

Enforcement: The Attorney General’s Role

Unlike California’s privacy law, the VCDPA does not include a private right of action. Consumers cannot sue a business directly for a VCDPA violation. Enforcement authority rests exclusively with the Virginia Attorney General.

Before the AG may initiate an action, the business must receive written notice specifying the alleged violation. The business then has 30 days to cure the violation. If the violation is cured within that period and the business provides a written statement to the AG certifying the cure, no civil penalty may be imposed for that violation.

If a violation is not cured, the AG may seek civil penalties of up to $7,500 per violation. In addition, the AG can recover reasonable expenses and attorney’s fees.

The 30-day cure period makes early compliance particularly valuable: businesses that can identify and correct issues quickly have a meaningful opportunity to avoid penalties.

Practical Steps for New River Valley Businesses

If the VCDPA applies to your business, or if you are not certain whether it does, a practical compliance review might include the following:

• Map your data. Identify what personal data your business collects, where it is stored, how it is used, and with whom it is shared.
• Assess your thresholds. Count the Virginia consumers whose data you process to determine whether either coverage threshold applies.
• Audit your vendors. Review contracts with cloud providers, marketing platforms, and any other processors to confirm data processing agreements are in place.
• Update your privacy notice. Ensure your website privacy policy accurately describes your data practices and explains how Virginia consumers can exercise their rights.
• Establish a consumer request process. Create an internal workflow for receiving, authenticating, and responding to consumer rights requests within the 45-day window.
• Conduct required assessments. Identify processing activities that trigger the data protection assessment requirement and document those assessments.
• Review sensitive data handling. If you process sensitive data, confirm that opt-in consent mechanisms are in place.

Compliance with the VCDPA is not a one-time project. Data practices evolve as businesses grow, add new tools, or expand their services. A periodic review of your data map, contracts, and privacy notice helps ensure that your compliance posture keeps pace with your operations.

Businesses in and around Christiansburg, Blacksburg, and throughout Montgomery County that have questions about VCDPA applicability or compliance obligations may benefit from consulting with a Virginia attorney familiar with the law.

---

This article is general information only and is not legal advice. Do not rely on this article to make decisions about your specific situation. Contact Valley Legal or another licensed Virginia attorney to discuss your case. Attorney advertising.

Valley Legal, PLLC is located at 107 Pepper St SE, Christiansburg, Virginia 24073, and serves clients throughout the New River Valley of Virginia, including Montgomery County, Blacksburg, Radford, Pulaski, and surrounding communities.