enactedUS-VAEffective January 1, 2023

Virginia Consumer Data Protection Act (VCDPA)

Complete compliance guide for companies with <200 employees. Everything you need to know about VCDPA requirements, deadlines, and penalties.

DSAR Deadline

45 calendar days

+ 45 days extension

Max Penalty

$7,500/violation

Threshold

100,000 consumers

Est. Cost

$4,000 – $15,000

4-10 weeks

Mid-Market Compliance Guide

VCDPA applies if you process data of 100,000+ Virginia consumers, or 25,000+ consumers while deriving 50%+ of revenue from data sales. Most mid-market SaaS companies hit the 100K threshold if they serve Virginia customers.

Key Requirements

Provide clear privacy notice
Limit data collection to what is necessary
Obtain consent for sensitive data processing
Conduct data protection assessments
Establish contracts with processors

Enforced by: Virginia Attorney General

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Right to Data Portability

Right to Opt-Out of Sale/Targeted Ads/Profiling

Business Obligations

1.Purpose limitation on data collection
2.Data protection assessments
3.Processor agreements
4.Respond to consumer requests within 45 days
5.Appeal process for denied requests

Exemptions

•HIPAA-covered entities
•GLBA-covered financial institutions
•Nonprofits
•Higher education institutions
•Government entities

Related Privacy Laws

CPA

US-CO

Colorado Privacy Act

CCPA/CPRA

US-CA

California Consumer Privacy Act

Recommended Compliance Tools

OneTrust

Enterprise privacy management platform

VCDPA consumer rights request handling

Osano

Easy-to-use privacy compliance for mid-market companies

VCDPA consumer rights request handling

Transcend

Privacy infrastructure for modern companies

VCDPA request handling via unified API

WireWheel

Privacy management platform with trust-building focus

VCDPA consumer rights management

DataGrail

DSAR automation platform that connects directly to your data systems

VCDPA data subject request automation

Ketch

Programmatic privacy platform for responsible data use

VCDPA consent and opt-out

Ethyca (Fides)

Open-source privacy engineering infrastructure

VCDPA data subject request automation

Mine (SayMine)

AI-powered DSAR automation and data minimization

VCDPA DSAR processing

Browse all compliance tools

Get a mid-market compliance checklist for VCDPA

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce VCDPA in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under VCDPA.

Browse Enforcement Actions Calculate your DSAR deadline

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/27/2026.