Virginia Privacy Law (VCDPA): What Small Businesses Need to Know

The Virginia Consumer Data Protection Act (VCDPA) took effect January 1, 2023, and applies to any business that controls or processes the personal data of 100,000 or more Virginia consumers in a calendar year — with no annual revenue threshold. A secondary trigger captures businesses processing data of 25,000 or more Virginia consumers and deriving 50% or more of revenue from data sales. The Virginia Attorney General is the sole enforcement authority, with civil penalties of up to $7,500 per violation and a 30-day cure period before formal action. VCDPA was the second comprehensive state privacy law in the United States and became the model that Texas, Colorado, Connecticut, and most subsequent state laws have followed.

Does VCDPA Apply to My Business?

VCDPA applies to any person or entity that conducts business in Virginia or produces products or services targeted to Virginia residents AND meets one of two thresholds:

• Controls or processes personal data of 100,000 or more Virginia consumers during a calendar year, OR
• Controls or processes personal data of 25,000 or more Virginia consumers AND derives over 50% of gross revenue from the sale of personal data.

The threshold logic is OR — only one needs to be met. There is no revenue floor under either path. A small business processing data from 100,000+ Virginia consumers is in scope on identical terms to a Fortune 500 company.

Virginia accounts for roughly 2.6% of the US population. A national e-commerce store would generally need approximately 3.8 million annual unique US visitors before reaching 100,000 Virginia consumers on a population-share basis — but stores with disproportionately strong East Coast or DMV-area distribution can hit the threshold at lower volumes. The 25,000 + 50% data sale path catches businesses that monetize data primarily, regardless of their absolute consumer count.

VCDPA exempts certain entity types entirely: state and local government bodies, financial institutions subject to GLBA, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education. Data already covered by HIPAA, GLBA, FCRA, FERPA, or the Driver's Privacy Protection Act is also outside VCDPA's scope. Most consumer-facing e-commerce businesses are not exempt under any of these categories.

What Does VCDPA Require?

VCDPA grants Virginia consumers a clear set of data rights and imposes corresponding obligations on covered businesses. The structure is the foundation for the "Virginia model" that most subsequent state privacy laws have adopted.

Consumer rights you must honor. Virginia consumers may access the personal data you hold about them, correct inaccurate data, delete personal data they provided, obtain a copy in a portable format, and opt out of three specific processing activities: targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. You must respond to requests within 45 days, with a possible 45-day extension when reasonably necessary.

Disclosures you must publish. Your privacy notice must list categories of personal data processed, purposes of processing, how consumers can exercise their rights and appeal denied requests, the categories of data shared with third parties, and the categories of third parties themselves. The notice must be reasonably accessible and clearly written.

Operational practices you must implement. Covered businesses must conduct data protection assessments for processing activities that present a heightened risk of harm — targeted advertising, sale of personal data, profiling with significant effects, and processing of sensitive data. You must obtain affirmative opt-in consent before processing sensitive personal data categories. You must implement reasonable administrative, technical, and physical security practices to safeguard the personal data you control. And you must establish a process for consumers to appeal a denial of their rights request, with a written response within 60 days.

How VCDPA Affects Small Businesses

VCDPA was designed primarily for businesses that have meaningful Virginia consumer reach — not for every Virginia-touching company. The 100,000 consumer threshold is high enough that small local Virginia businesses are unlikely to be in scope, but large national e-commerce operations frequently are.

For Shopify merchants and direct-to-consumer brands, the practical impact tends to follow the same pattern as Texas TDPSA. The absence of a revenue threshold means scope determination depends entirely on accurate consumer counts by state, which most stores do not regularly calculate. The 100,000 figure is reachable for stores with strong national distribution. And unlike CCPA, there is no dedicated enforcement agency conducting public sweeps — Virginia AG enforcement has been quieter, but cases have been brought.

The Virginia consumer rights regime is functionally similar to other state laws. The single biggest difference for operators is the mandatory appeals process: when you deny a consumer's rights request, the consumer can appeal, and you must respond within 60 days with a written explanation. This requires building a documented internal process that goes beyond just answering the original request. Many businesses overlook the appeals workflow until they receive their first appeal.

VCDPA's data protection assessment requirement is also more granular than some other state laws. For each high-risk processing activity, you must document the specific purposes, the data categories involved, the risks to consumers, and the safeguards you have in place to mitigate those risks. Assessments must be retained and made available to the AG on request.

Key Differences from Other State Privacy Laws

VCDPA was the second comprehensive state privacy law in the US and the first to take the "Virginia model" approach: an opt-out regime for sale and targeted advertising (rather than opt-in), no private right of action, AG-only enforcement, and a mandatory cure period. Texas TDPSA, Colorado CPA, Utah UCPA, Connecticut CTDPA, and most newer state laws have adopted variants of this model.

Compared to California CCPA/CPRA, VCDPA is narrower in several respects. Virginia has no dedicated enforcement agency — the AG handles all cases. Virginia has no private right of action; consumers cannot sue directly. Virginia has a mandatory 30-day cure period before enforcement; California's cure period was eliminated by CPRA. And Virginia uses "consumer" to mean a Virginia resident acting in an individual or household context, which excludes employees acting in a business capacity — California's definition is broader.

Compared to Texas TDPSA, VCDPA is highly similar. Both lack a revenue threshold, both use 100,000 as the consumer threshold, both grant the same rights, and both rely on the AG for enforcement. The most notable differences: Texas has the SBA small business exemption, Virginia does not; Texas has explicit notice requirements for sales of sensitive and biometric data; Virginia has a more developed appeals process requirement.

Compared to Connecticut CTDPA, VCDPA's threshold is significantly higher (100,000 vs Connecticut's 35,000). Fewer mid-size businesses fall into VCDPA scope on consumer count alone. But Connecticut's smaller population means the absolute number of in-scope businesses is comparable on a per-capita basis.

How to Comply with VCDPA

If VCDPA applies to your business, the following compliance steps establish a baseline. They are listed in execution order.

1. Confirm scope. Calculate annual Virginia consumer count from analytics, customer records, and email lists. If you reach 100,000, or 25,000 with significant data sale revenue, you are in scope.
2. Update your privacy notice. Disclose categories of personal data processed, purposes, third-party sharing, instructions for exercising rights, and the consumer's right to appeal denials.
3. Add opt-out mechanisms for targeted advertising, sale of personal data, and profiling. The opt-out must be reasonably accessible and clearly labeled.
4. Build a consumer rights request workflow. Document how requests are received, identity verified, requests routed and fulfilled, and the 45-day response deadline tracked.
5. Build a denial appeals process. When you deny a consumer's request, the consumer has the right to appeal. You must provide a method for filing the appeal and respond in writing within 60 days, with a clear explanation. If you maintain a denial, you must inform the consumer how to file a complaint with the Virginia AG.
6. Implement opt-in consent for sensitive data. Before processing any sensitive personal data category — racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship status, genetic or biometric data, precise geolocation, or data of a known child — obtain affirmative opt-in consent.
7. Conduct data protection assessments. For each high-risk processing activity, document purposes, data categories, risks, and safeguards. Retain assessments for AG review.
8. Document reasonable security practices. Maintain administrative, technical, and physical safeguards appropriate to the volume and nature of data you process.

VCDPA Enforcement and Penalties

The Virginia Attorney General has exclusive enforcement authority for VCDPA. There is no private right of action — Virginia consumers cannot sue businesses directly under this law. The AG may seek civil penalties of up to $7,500 per violation and may also recover reasonable expenses incurred in investigating and preparing the case.

Before bringing an enforcement action, the AG must provide written notice of the alleged violation. The business has 30 days from receipt of notice to cure the violation and provide a written statement that the issue has been addressed and that no further violations will occur. If the business cures within 30 days, the AG may not bring an action for that violation. This is a meaningful protection — Virginia is among the most cure-friendly state privacy laws and has historically prioritized voluntary compliance over litigation.

The Virginia AG has been less publicly aggressive than the California CPPA, but enforcement actions have been brought, particularly against businesses that failed to honor consumer rights requests within the 45-day window or that did not maintain documented security practices.

Frequently Asked Questions

Does Virginia VCDPA have a revenue threshold?

No. VCDPA applies based on consumer data volume only: 100,000 or more Virginia consumers annually, or 25,000 or more consumers if 50% or more of revenue comes from selling personal data. There is no annual revenue minimum — a small business processing data from 100,000+ Virginia consumers is in scope.

When did Virginia VCDPA take effect?

Virginia VCDPA took effect January 1, 2023, making it the second comprehensive state consumer privacy law in the United States after California's CCPA. The Virginia Attorney General has been the sole enforcement authority since the effective date.

What rights does VCDPA give Virginia consumers?

Virginia consumers have the right to access their personal data, correct inaccurate data, delete personal data they provided, obtain a copy in a portable format, and opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. Consumers also have the right to appeal a denial of any of these requests.

What is the VCDPA appeals process?

When a business denies a consumer's data rights request, the consumer has the right to appeal that decision. The business must respond to the appeal in writing within 60 days, explaining its decision. If the business maintains the denial, it must inform the consumer how to file a complaint with the Virginia Attorney General.

What are the penalties for VCDPA violations?

The Virginia Attorney General can seek civil penalties of up to $7,500 per violation, plus the reasonable expenses of investigation and litigation. There is no private right of action under VCDPA. A 30-day cure period applies — if the business fixes the violation within 30 days of notice, the AG may not bring an action for that violation.

Does VCDPA apply to my Shopify store?

VCDPA applies to your Shopify store if you process personal data from 100,000 or more Virginia consumers annually, regardless of where your business is incorporated. Virginia accounts for roughly 2.6% of the US population — most stores need substantial national distribution before crossing the threshold based on consumer count alone.

Check if VCDPA applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.