VCDPA

Virginia Consumer Data Protection Act

Flag of US
Virginia, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2023
Enacted
March 2, 2021
Enforcing Authority
Virginia Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Persons conducting business in Virginia or targeting Virginia residents: 100,000+ consumers OR 25,000+ consumers and 50%+ revenue from selling PI

Overview

The VCDPA was the second US state comprehensive privacy law and became the template that most subsequent state laws followed. It established the opt-out model with opt-in for sensitive data that has become the standard US approach. A permanent 30-day cure period distinguishes it from newer laws.

What This Means for Your Website

  • A clear privacy notice is required for Virginia visitors
  • Opt-in consent is needed before processing sensitive data
  • Consumers can access, correct, delete, and port their data, and opt out of targeted advertising
  • Data protection assessments are required for targeted advertising and profiling
  • A 30-day cure period applies before enforcement action (permanent — does not sunset)
  • Under-13 data is classified as sensitive, requiring opt-in consent

Key Requirements

The Virginia AG enforces the VCDPA with penalties up to $7,500 per violation. Consumer requests must be fulfilled within 45 days (extendable by 45). The permanent 30-day cure period provides businesses with a window to fix violations before penalties. SB 361 (2025) added social media restrictions for minors.

How ConsentStack Handles This

ConsentStack detects Virginia visitors and applies the VCDPA opt-out model with opt-in for sensitive data categories. Consumer opt-out preferences are recorded and respected.

Penalties

Up to $7,500 per violation.

Maximum Fine
$7,500 per violation

Key Requirements

  • Clear and meaningful privacy notice
  • Opt-in consent before processing sensitive data
  • Consumer rights: access, correct, delete, portability, opt-out
  • Data protection assessments for targeted advertising and profiling
  • 45-day response window for consumer requests
  • Data minimization obligations

Notable Provisions

  • Template for most subsequent US state privacy laws
  • Permanent 30-day cure period
  • SB 361 (2025) adds social media restrictions for minors

US State Specifics

Cure Period
30 days
Private Right of Action
No
Global Opt-out Required
No
Sensitive Data Opt-in
Yes
Children Provisions
Under 13 classified as sensitive data requiring opt-in consent.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

How does the VCDPA differ from CPRA?

The VCDPA has a permanent 30-day cure period, does not require honoring GPC signals, and is enforced solely by the AG (no dedicated agency). It has no private right of action.

What is the VCDPA cure period?

30 days — permanent, meaning it does not sunset. Businesses have 30 days to fix violations before the AG can take enforcement action.

Does the VCDPA require a cookie banner?

The VCDPA requires an opt-out mechanism for targeted advertising and data sales, plus opt-in consent for sensitive data. ConsentStack implements both.

What are the VCDPA penalties?

Up to $7,500 per violation, enforced exclusively by the Virginia Attorney General.

Stay compliant with VCDPA

ConsentStack helps you implement Opt-out consent for Virginia, United States automatically.

Get started free