Virginia Consumer Data Protection Act (VCDPA)

Overview

The Virginia Consumer Data Protection Act (VCDPA), codified at Va. Code Ann. § 59.1-575 et seq., took effect on January 1, 2023, making Virginia the second U.S. state after California to enact a comprehensive privacy statute. More importantly, the VCDPA became the structural template for nearly every comprehensive state law that followed — Colorado, Connecticut, Utah, Indiana, Kentucky, Tennessee, and Iowa all copy its scaffolding with minor adjustments.

The VCDPA is considered more business-friendly than the CCPA: enforcement is exclusive to the Virginia Attorney General, there is no private right of action, and a 30-day cure period remains permanently available. It applies to entities that conduct business in Virginia or produce products/services targeted at Virginia residents and either (a) control or process data of 100,000+ consumers per year, or (b) control or process data of 25,000+ consumers AND derive 50%+ of gross revenue from the sale of personal data.

Exemptions are broad: HIPAA-covered entities, GLBA-covered financial institutions, non-profits, higher-education institutions, FCRA/DPPA/FERPA-regulated data, and employee/B2B data all sit outside the law's scope.

Consumer Rights

VCDPA grants Virginia residents seven rights, exercised against the controller:

• Right to confirm and access personal data being processed
• Right to correct inaccuracies
• Right to delete personal data the controller collected or obtained about them
• Right to data portability in a usable, machine-readable format
• Right to opt out of sale of personal data
• Right to opt out of targeted advertising
• Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects
• Right to appeal any denial of a request (if appeal is denied, the controller must provide AG contact information)

Compliance Requirements

Controllers must publish a privacy notice, obtain opt-in consent before processing sensitive data (race, religion, health diagnosis, sexual orientation, citizenship status, genetic/biometric identifiers, minors under 13, precise geolocation), conduct data protection assessments (DPIAs) for high-risk processing (targeted advertising, sale, profiling with risk of harm, sensitive data processing), and execute processor contracts per § 59.1-579.

A notable Virginia feature: DPIAs are protected by attorney-client privilege. Providing them to the AG during an investigation does not waive the privilege — a statutory incentive to document rigorously.

Cure Period + Enforcement

The Virginia AG has exclusive enforcement authority. Penalties reach $7,500 per violation plus investigation costs. The VCDPA retains a permanent 30-day cure period — after written notice of alleged violation, the controller has 30 days to remediate before the AG can bring an action. Unlike Colorado, Connecticut, and Oregon, this cure window has not sunset.

How Inori Addresses This

Inori ships VCDPA-compliant handling today for its Virginia-resident users:

• Notice: src/content/legal/privacy.mdx v1.2 discloses categories collected, purposes, and third-party sharing (Stripe, Anthropic, Firebase).
• DSAR endpoint: /api/dsar accepts access, correction, deletion, and portability requests with a 30-day SLA — tighter than the statutory 45 days. Appeals route to ask@askinori.com.
• Opt-out of sale/sharing: Inori does not sell personal data, so this right is satisfied by default. The middleware.ts:respectGpc honors Sec-GPC: 1 even though Virginia does not require Universal Opt-Out Mechanisms — a multi-state posture.
• Deletion: Hard purge runs via a daily cron 90 days after account deletion, covering all tenant-scoped tables. Post-purge, only a hashed audit ledger entry remains.
• Sensitive data: Inori does not collect sensitive categories as defined by VCDPA — no opt-in gate is required.
• Deferred: Appeals workflow automation and formal DPIA templates for internal processing assessments ship in a later sprint.

Related Concepts

See CCPA/CPRA for the comparative California model, DSAR for the request-handling flow, GPC for the opt-out signal, and sister-state laws that extend the VCDPA template: Colorado Privacy Act, CTDPA, UCPA, TDPSA, and INCDPA.