Privacy Law Status

Your Rights as a Virginia Resident

The Virginia Consumer Data Protection Act grants Virginia residents comprehensive rights over their personal information when dealing with covered businesses. These rights empower consumers to control how their data is collected, used, and shared in the digital marketplace.

• Right to know what data is collected: You can confirm whether a business is processing your personal data and request information about what specific data they have collected about you[3][7][8]
• Right to delete personal information: You can request that businesses delete personal data they have collected about you, including information obtained from other sources beyond what you directly provided[3][8][9]
• Right to opt out of data sales: You can opt-out of the sale of your personal data to third parties, as well as opt-out of targeted advertising and profiling activities that may affect you[1][3][7]
• Right to correct inaccurate data: You can request that businesses correct any inaccuracies in the personal data they maintain about you[3][7][8]
• Right to data portability: You can obtain copies of your personal data in a portable, readily usable format that allows you to transfer the information to other services[3][7]
• Right to non-discrimination: Businesses cannot discriminate against you for exercising your privacy rights, though they may offer different prices or services for loyalty program participants[10][9]

These rights apply when dealing with businesses that meet the VCDPA’s coverage thresholds and are not exempt from the law. Virginia residents can invoke these rights by submitting requests directly to the businesses that control their personal data[7][8].

Business Requirements

The VCDPA establishes specific obligations for businesses that collect and process Virginia residents’ personal data. These requirements ensure transparency and accountability in data handling practices.

• Coverage thresholds: The law applies to businesses conducting business in Virginia or targeting Virginia residents that either control or process personal data of 100,000 or more consumers annually, or control or process data of 25,000 or more consumers while deriving over 50% of gross revenue from data sales[1][3][11]
• Notice and transparency requirements: Covered businesses must provide clear, reasonably accessible privacy notices explaining their data collection purposes, categories of data processed, data sharing practices, and how consumers can exercise their rights[10][5]
• Consumer request response procedures: Businesses must establish procedures to respond to consumer rights requests and provide mechanisms for consumers to appeal denials of their requests[5][8]
• Sensitive data protections: Companies must obtain explicit opt-in consent before processing sensitive data such as racial or ethnic origin, health information, precise geolocation data, and information about children under 18[1][6][10]
• Data protection assessments: Businesses must conduct formal risk assessments for high-risk processing activities including data sales, sensitive data processing, targeted advertising, and profiling[1][11][10]
• Security and breach obligations: Companies must implement appropriate technical and organizational measures to protect personal data, though the VCDPA does not modify existing data breach notification requirements[12][5]

Practical Impact

The VCDPA creates meaningful protections for Virginia residents in their daily digital interactions, though the law’s effectiveness depends on proper implementation and enforcement.

• Daily life protections: Virginia residents gain control over how their personal information is used for targeted advertising, can prevent the sale of their data to third parties, and can correct inaccurate information that might affect them in credit, employment, or other important decisions[1][3][7]
• Violation response process: If you believe your VCDPA rights have been violated, you can file a complaint with the Virginia Attorney General’s Office through their Consumer Protection Hotline at 1-800-552-9963 or online complaint system[7][8][13]
• Enforcement limitations: While Virginia residents cannot generally sue companies directly for privacy violations, they can seek civil damages for specific sensitive data violations, and the Attorney General can bring further enforcement actions[2][4][5]
• Business cooperation requirements: The 30-day cure period means businesses have an opportunity to fix violations before facing penalties, which can benefit consumers by encouraging quick resolution of issues[1][2][4]
• Exemption gaps: Important sectors including government entities, financial institutions covered by federal banking laws, healthcare entities under HIPAA, and nonprofits are exempt from the law’s requirements[14][11][5]

Comparison Context

Virginia’s privacy law represents a significant step forward for consumer protection, though it differs from other leading privacy states in several important ways.

• Enforcement approach: Unlike California, which allows private lawsuits for certain violations, Virginia primarily relies on Attorney General enforcement with a 30-day cure period that reduces penalties for businesses[2][4][9]
• Scope of opt-out rights: Virginia provides broader opt-out rights than California’s original law, covering not just data sales but also targeted advertising and profiling activities[9]
• Revenue thresholds: Virginia’s law has no revenue threshold for coverage, instead focusing on data volume thresholds (100,000 consumers or 25,000 with 50%+ revenue from data sales), which may exclude some large companies that don’t process significant consumer data[5][15]
• Sensitive data protections: Virginia requires opt-in consent for processing sensitive data, providing stronger protections than many other state laws for categories like health information and precise location data[1][10]
• Regulatory guidance: Unlike California, Virginia has not issued detailed implementing regulations, leaving businesses to interpret the law’s requirements based solely on the statutory text[1]
• Penalty structure: Virginia’s maximum penalty of $7,500 per violation is lower than some other states, though violations can accumulate quickly for businesses with large databases[1][12]

Action Steps for Residents

Virginia residents can take several concrete steps to protect their privacy and exercise their legal rights under the VCDPA.

• Review privacy policies: Check the privacy policies of websites and apps you use to understand what data they collect and whether they offer opt-out mechanisms for Virginia residents[10]
• Submit data rights requests: Contact businesses directly to exercise your rights to access, correct, delete, or obtain copies of your personal data – businesses covered by the VCDPA must provide clear methods for submitting these requests[10][7][8]
• Opt out of data sales and targeting: Look for opt-out links on websites and in privacy policies, and submit requests to prevent companies from selling your data or using it for targeted advertising[7][8]
• File complaints when appropriate: If a business fails to respond to your rights requests or you suspect VCDPA violations, contact the Virginia Attorney General’s Consumer Protection Unit at 1-800-552-9963 or through their online complaint system[7][8][13]
• Stay informed about privacy developments: Subscribe to the Attorney General’s Consumer Protection Quarterly News and Scam Alerts to stay updated on privacy enforcement and consumer protection initiatives[16]
• Understand your limitations: While direct lawsuits are not generally available, Virginia allows consumers to seek civil damages for specific sensitive data violations, and the Attorney General can investigate and take action on your behalf[2][4][5]

Official Resources and Contact Information

Virginia Attorney General – Consumer Protection

The Virginia Attorney General’s Office is the primary enforcement agency for the VCDPA and handles consumer privacy complaints.

Consumer Protection Hotline: 1-800-552-9963 (Virginia residents) or (804) 786-2042 (Richmond area/out of state)

Business Hours: 8:30 a.m. to 5:00 p.m., Monday through Friday

Online Contact: Virginia AG Consumer Protection Contact Form

VCDPA Information: Virginia Attorney General’s Office

Virginia General Assembly

Contact your state legislators to advocate for privacy legislation improvements or express concerns about data protection issues.

Find Your Legislators: Who’s My Legislator – Virginia General Assembly

General Assembly Website: Virginia General Assembly

Legislative Contact Information: Use the “Who’s My Legislator” tool to find specific contact details for your House of Delegates member and State Senator based on your address

Additional Consumer Protection Resources

Department of Agriculture and Consumer Services: (804) 786-2042 or toll-free in Virginia: 1-800-552-9963

Office Address: Office of the Attorney General, 202 North Ninth Street, Richmond, Virginia 23219

Consumer Protection Unit: Contact the Consumer Protection Unit

Staying Informed

Sign up for official updates from the Virginia Attorney General’s Office to receive information about privacy enforcement actions, consumer protection initiatives, and new privacy legislation.

Newsletter Subscriptions: Subscribe to Consumer Protection Quarterly News and Scam Alerts

Media Updates: Follow the Attorney General’s news releases for announcements about VCDPA enforcement and consumer privacy initiatives

Sources and Citations

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.