Virginia became the second state after California to enact comprehensive consumer privacy legislation when it passed the Virginia Consumer Data Protection Act (VCDPA) in 2021. The law gives Virginia residents significant rights over their personal data and imposes obligations on businesses that collect and process consumer information. Understanding your rights under the VCDPA helps you take control of your personal information.

Who Is Protected by the VCDPA

The VCDPA protects Virginia residents acting in an individual or household context. The law does not cover individuals acting in commercial or employment contexts, meaning your workplace data and business-to-business interactions fall outside its scope. This consumer focus distinguishes the VCDPA from broader privacy frameworks.

The law applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents and meet certain thresholds: controlling or processing personal data of at least 100,000 consumers, or controlling or processing data of at least 25,000 consumers while deriving more than 50% of gross revenue from selling personal data.

Exemptions exist for certain entities and data types including financial institutions covered by Gramm-Leach-Bliley, healthcare entities covered by HIPAA, nonprofits, and higher education institutions. Data already regulated under specific federal laws may also be exempt.

Your Right to Access Your Data

Virginia residents have the right to confirm whether a business is processing their personal data and to access that data. When you submit an access request, the business must provide the categories of personal data processed, the purposes for processing, categories of third parties with whom data is shared, and the specific pieces of personal data the business holds about you.

Businesses must respond to access requests within 45 days, with one 45-day extension permitted when reasonably necessary. The response must be provided free of charge, though businesses may charge a reasonable fee for manifestly unfounded or excessive requests.

Your Right to Delete Your Data

You have the right to request deletion of personal data that a business has collected about you. This includes data you provided directly and data the business obtained from other sources. Upon receiving a valid deletion request, the business must delete your personal data from its records.

Deletion rights have some limitations. Businesses may retain data necessary to complete transactions, provide requested goods or services, comply with legal obligations, detect security incidents, or exercise legal claims. However, they must delete data that falls outside these exceptions.

Your Right to Correct Inaccurate Data

The VCDPA gives you the right to correct inaccuracies in your personal data. If a business holds incorrect information about you, you can submit a correction request. The business must take reasonable steps to correct the inaccurate data, considering the nature of the data and the purposes for processing.

This right is particularly important for data that affects decisions about you, such as information used for credit decisions, insurance underwriting, or employment screening. Correcting errors in these contexts can have significant practical benefits.

Your Right to Data Portability

You have the right to obtain a copy of your personal data in a portable and readily usable format. This allows you to transfer your data to another service provider or simply maintain your own records. The data must be provided in a format that allows you to transmit it to another controller without hindrance.

Your Right to Opt Out

The VCDPA provides important opt-out rights regarding how businesses use your data. You can opt out of the processing of your personal data for purposes of targeted advertising, the sale of your personal data, and profiling that produces legal or similarly significant effects.

Targeted advertising means displaying advertisements based on personal data obtained from your activities across different businesses or websites. You can prevent businesses from using your browsing history and other behavioral data to serve you personalized ads.

Sale of personal data under the VCDPA means exchanging personal data for monetary consideration. If a business sells your data to third parties, you can direct them to stop. Note that sharing data with service providers who process it on the business's behalf is not considered a sale.

Profiling that produces legal or similarly significant effects refers to automated decision-making that significantly impacts you, such as decisions about credit, employment, or insurance. You can opt out of being subject to these automated decisions.

Sensitive Data Protections

The VCDPA provides heightened protections for sensitive data, requiring your explicit consent before businesses can process certain categories of information. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data used for identification, personal data from a known child, and precise geolocation data.

Businesses cannot process sensitive data without first obtaining your consent. This opt-in requirement provides stronger protection than the opt-out rights that apply to other data processing activities.

How to Exercise Your Rights

To exercise your VCDPA rights, submit a request to the business through the methods they provide. Businesses must offer at least one method for submitting requests, and many provide online forms, email addresses, or toll-free numbers for this purpose.

You must provide sufficient information to allow the business to verify your identity and locate your data. Businesses can require authentication to ensure they are responding to the actual consumer. They cannot require you to create an account solely to submit a request.

If a business denies your request, you have the right to appeal. The business must provide information about how to submit an appeal and must respond to appeals within 60 days. If the appeal is denied, you must be informed of how to contact the Virginia Attorney General.

Enforcement and Remedies

The Virginia Attorney General has exclusive authority to enforce the VCDPA. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations. If you believe a business has violated your rights, you can file a complaint with the Attorney General's office.

Before bringing an enforcement action, the Attorney General must give the business 30 days to cure the alleged violation. If the business fails to cure, the Attorney General can seek injunctions and civil penalties of up to $7,500 per violation.

How VCDPA Compares to CCPA

While both laws grant similar consumer rights, key differences exist. The VCDPA's threshold requirements are based on number of consumers rather than revenue, potentially covering different businesses than California's law. Virginia's law includes a cure period before enforcement, which California eliminated. The VCDPA also lacks a private right of action, whereas California allows private suits for certain data breaches.

Virginia's sensitive data provisions require opt-in consent, providing stronger protection than California's approach in some respects. However, California's law covers more businesses due to its revenue-based threshold and broader scope.

Conclusion

The Virginia Consumer Data Protection Act provides meaningful privacy rights to Virginia residents, including rights to access, delete, correct, and port personal data, as well as rights to opt out of data sales, targeted advertising, and certain profiling. While enforcement rests solely with the Attorney General, understanding and exercising these rights helps you maintain control over your personal information in an increasingly data-driven world.