Virginia became the second U.S. state to enact a comprehensive consumer data privacy law when Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) on March 2, 2021. The law took full effect on January 1, 2023, and has served as a model for many subsequent state privacy laws.
Unlike California's CCPA — which emerged through consumer advocacy and ballot initiative — Virginia's CDPA was largely crafted by the technology industry and state legislators working collaboratively, making it generally more business-friendly while still providing meaningful consumer protections. It is often contrasted with California's approach and compared to GDPR-like frameworks.
Confirm whether a controller processes your personal data and obtain a copy of that data in a portable format.
Request correction of inaccurate personal data a business holds about you, taking into account the nature of the data.
Request deletion of personal data you have provided to, or that was collected by, the controller.
Obtain a copy of your personal data in a portable, readily usable format where technically feasible.
Opt out of the processing of your personal data for purposes of targeted advertising, sale of personal data, and profiling.
Businesses cannot discriminate against you for exercising your privacy rights — no reduced service quality or higher prices.
The CDPA applies to businesses that control or process personal data of at least 100,000 Virginia consumers annually, OR at least 25,000 Virginia consumers if more than 50% of gross revenue comes from the sale of personal data. There is no revenue threshold (unlike California's CCPA).
| Feature | Virginia CDPA | California CCPA/CPRA |
|---|---|---|
| Revenue threshold | None | $25M+ |
| Consumer data threshold | 100,000 residents | 100,000 residents |
| Right to correct | Yes | Yes (CPRA) |
| Private right of action | No | Yes (breach only) |
| AG enforcement only | Yes | No (CPPA + AG) |
| Cure period | 30 days (sunset 2026) | 30 days (expired) |
| Sensitive data category | Yes | Yes (CPRA) |
| Opt-out of profiling | Yes | Yes (CPRA) |
Virginia's CDPA requires explicit opt-in consent before processing sensitive personal data, including: racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation.
Enforcement lies exclusively with the Virginia Attorney General — there is no private right of action for consumers. Businesses receive a 30-day cure period before penalties apply (this cure period sunsets on January 1, 2026). Willful violations can result in civil penalties up to $7,500 per violation.
To exercise your CDPA rights, contact the business directly through their privacy portal or customer service. The business must respond within 45 days, with the option to extend by an additional 45 days with notice. If a business denies your request, you have the right to appeal the decision within a reasonable timeframe.