What You Need to Know About the Virginia Consumer Data Protection Act

Updated on: April 28, 2021

On March 2, 2021, Virginia Governor Ralph Northam passed the Virginia Consumer Data Protection Act (VCDPA), making Virginia the second state to establish data privacy legislation, behind California’s 2018 California Consumer Privacy Act (CCPA). Below is an outline of the key pieces of the VCDPA to gain a comprehensive understanding of how this bill will affect your company and how you can better prepare for the bill’s effective date of January 1, 2023.

Who Does the VCDPA Impact?

The VCDPA affects companies who conduct business in Virginia or produce products or services targeted to residents in Virginia and one of the following:

  • Control or process personal data of at least 100,00 Virginia consumers.
  • Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

What Data Does the VCDPA Affect?

The VCDPA affects personal data revealing racial or ethnic origin, data collected from children, and precise geolocation data.

This bill follows the approach taken by the CCPA, as well as Article 9 of the General Data Protection Regulation (GDPR). However, unlike either the CCPA or the GDPR, the VCDPA imposes additional requirements on controllers and processors to secure affirmative consumer consent prior to collecting any such information.

What Differentiates the GDPR, the CCPA, and the VCDPA? 

Below is a chart showcasing the variances between the three consumer privacy acts: 

There are specific violations that are associated with the VCDPA: 

  • The Attorney General retains exclusive authority to enforce this chapter by bringing an action in the name of the Commonwealth, or on behalf of persons residing in the Commonwealth. The Attorney General may issue a civil investigative demand to any controller or processor believed to be engaged in, or about to engage in, any violation of this chapter. The provisions of § 59.1-9.10 shall apply to civil investigative demands issued under this section. 
  • Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. 
  • The Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, of any action initiated under this chapter.  

Along with the following exemptions: 

  • Financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act. 
  • Companies serving clients who are acting in commercial, or employment contexts are exempted from the VCDPA.   

What Preventative Measures Can Your Company Take? 

As the VCDPA has now been passed, there are steps that your company can take to prepare for the effective date. Through preventative measures, you can be better protected against data privacy risk and avoid policy violations: 

  • Identify if the VCDPA applies to your company given the mandated requirements.   
  • Assess the thirdparty relationships that are handling your consumers’ data. 
  • Determine what type of personal information is being collected.  
  • Develop data protection assessment process.  

What’s Next for Data Privacy? 

Consumer data privacy is a movement that is quickly gaining momentum across the country. The theme of privacy and security has become an integral part of the risk management industry. Numerous states have begun the process of implementing data privacy laws into place to protect consumers’ personal and sensitive data. As of April 28, 2021, the following states have an active, introduced, failed, or passed data privacy bill:


If you’re looking to learn more about the VCDPA and how it will affect your company, please reach out to our Risk Management teamYou can also view our Risk Management page for a full overview of the services we provide. 

Related Insights


Subscribe to our Insights

A collection of insights about our capabilities, solutions, people, and client successes.