Virginia Data Privacy: A Plain-Language Overview
Virginia Consumer Data Protection Act (VCDPA)
Status: Effective since January 1, 2023; active and enforceable by the Virginia Office of the Attorney General.
The VCDPA regulates how businesses handle the personal data of Virginia residents, requiring transparency, data minimization, and reasonable security. It grants consumers the right to access, correct, and delete their data, as well as opt-out of the sale of their information and targeted advertising.
Rights residents generally have
- right to know what personal data is processed (access)
- right to correct inaccurate personal data
- right to delete personal data
- right to opt-out of the sale of personal data
- right to opt-out of targeted advertising
- right to data portability
- right to appeal a business's response to a request
Who it generally applies to
Applies to for-profit entities that conduct business in Virginia or produce products/services targeted to VA residents, and (1) control or process data of at least 100,000 consumers, or (2) control or process data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
What this means for B2B outreach
The law applies specifically to 'personal data' of 'consumers,' which is defined broadly but often interpreted to exclude data about individuals acting solely as employees or business representatives (B2B context). Commercial email is primarily governed by federal laws like the CAN-SPAM Act, though the VCDPA may cover personal data used for targeted advertising in a business context if it identifies a specific individual.
Authoritative source: Office of the Attorney General of Virginia (Consumer Protection Section). Always confirm current requirements there.
Marketing that respects privacy by design
We run permission-based, compliance-minded campaigns with real opt-out handling.
Talk to us