Legal Blog

The Virginia Consumer Data Protection Act: Is your Business Ready?

woman surfing mobile phone while entering data on computer.Following California’s lead, Virginia became the second state to enact a data privacy statute.  VA Senate Bill 1392.  The Virginia Consumer Data Protection Act (VCDPA) went into effect on January 1, 2023.  Here’s what you need to know.


Personal Consumer Data Rights

Each individual Virginia resident may exercise the following data privacy rights:

  1. Confirmation: The right to confirm whether or not an entity or individual is processing your personal information and to access such personal data;
  2. Correction: The right to correct inaccuracies in your consumer personal data, taking into account the nature of the personal data and the purposes of the processing of your consumer personal data;
  3. Deletion: The right to delete personal data provided by or obtained about you;
  4. Copies: The right to obtain a copy of your consumer personal data that you previously provided to a Data Processor in a portable and readily usable format; and
  5. Opt-out: The right to opt out of any processing of personal data for (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.


Who is Subject to the VCDPA?

  • Controllers: a person or entity that determines the purpose and means of processing personal data
  • Processors: a person or entity that processes personal data on behalf of a controller


Data Controller Obligations:

  1. Limitations: Must limit collection of personal data to that which is adequate, relevant and reasonably necessary;
  2. Disclosure: Cannot collect personal data for purposes inconsistent with the disclosed purposes for which data is collected;
  3. Data Security: Must establish and maintain reasonable data security practices
  4. Anti-Discrimination: Prohibited from discriminating against consumers in processing data, including a consumer’s exercise of rights under the VDCPA
  5. Consent: Obtain consumer consent before processing sensitive data
  6. Privacy Policy: must be reasonably accessibly and inform consumers of their rights, among other requirements
  7. Online Submission: must establish a system for consumers to submit data rights requests.
  8. Appeals: consumers have the right to appeal decisions regarding consumer data rights requests if action is not taken in response to a request. Controllers need to establish a system to determine appeals.


How is the VCDPA Enforced?

  • Exclusive enforcement by the Attorney General of Virginia
  • Enforcement actions authorized; damages of up to $7,500.00 per violation
  • No private right of action. Individuals and entities cannot sue under the VCDPA.


Exceptions and Exemptions

  • A controller or processor is not subject to the VDCPA unless it
    • Controls or processes personal data of at least 100,000 Virginia residents; or
    • Controls or processes personal data of at least 25,000 Virginia residents and derives over 50 percent of gross revenue from the sale of personal.
    • Financial institutions regulated by the Gramm Leach Bliley Act are exempt.


These are just a few of the requirements of the VDCPA, which could change as Virginia begins its 2023 legislative season.  If you or your organization may be subject to the VCDPA, reach out to Anders Sleight | Offit Kurman today to discuss your obligations and compliance management.


Anders Sleight is an experienced trial attorney with a knack for helping clients reach efficient resolutions.  An experienced commercial litigator, Mr. Sleight has represented businesses, banks, credit unions, servicers, property owners, agencies, and individuals throughout Virginia and the District of Columbia. As a result, he has developed an intimate knowledge of local practices and judges, which he uses to assist and advise clients from case initiation through trial.






Offit Kurman, one of the fastest-growing, full-service law firms in the United States, serves dynamic businesses, individuals and families. With 19 offices and more than 280 lawyers who counsel clients across more than 30 areas of practice, Offit Kurman helps maximize and protect business value and personal wealth by providing innovative and entrepreneurial counsel that focuses on clients’ business objectives, interests and goals. The firm is distinguished by the quality, breadth and global reach of its legal services and a unique operational structure that encourages a culture of collaboration. For more information, visit