Understanding the Virginia Consumer Data Protection Act (VCDPA)

Pandectes GDPR Compliance app for Shopify Stores - Understanding the Virginia Consumer Data Protection Act (VCDPA) - cover

Table of Contents


The Virginia Consumer Data Protection Act (VCDPA) is a data privacy legislation representing a significant step toward protecting sensitive consumer data within the United States. This law is part of a broader landscape of data privacy laws in the United States, reflecting the growing emphasis on safeguarding personal information. The VCDPA is designed to protect the personal data of Virginia residents, and it imposes various obligations on businesses operating in the state. It also provides essential rights to consumers regarding the collection, use, and protection of their sensitive personal data.

The VCDPA requires businesses to obtain consumers’ explicit consent before collecting their data and ensure that it is used only for specific purposes. Moreover, businesses must implement appropriate security measures to protect personal data against unauthorized access, use, or disclosure. The VCDPA also gives consumers the right to access, correct, or delete personal data provided and opt-out of the sale of their data. Overall, the VCDPA is a significant step towards ensuring greater transparency, accountability, and control over the use of personal data.

The VCDPA is now in effect: What should you do to comply?

Businesses covered under the Virginia Consumer Data Protection Act (VCDPA) must comply with the law’s requirements to safeguard personal data. This includes assessing data processing activities, implementing security measures, and providing transparent information to consumers about their data practices. To comply with the VCDPA, businesses must understand the scope of their data processing activities, identify the personal data collected, and determine how they use and share it. They must also implement security measures such as data encryption, access controls, and data minimization practices to safeguard personal data from unauthorized access.

In addition, businesses must provide transparent information to consumers about their data practices through clear and understandable privacy policies. In summary, VCDPA compliance requires businesses to proactively approach data protection by assessing their data processing activities, implementing security measures, and providing transparent information to consumers about their data practices.

Consumer rights under the VCDPA

Under the Virginia Consumer Data Protection Act (VCDPA), individuals have been granted various rights concerning their personal data. One of these rights is the right to access their personal information, which includes the right to obtain a copy of their data. This right lets consumers know what data is being held about them and how it is used. Additionally, the VCDPA gives individuals the right to correct any inaccuracies in their personal data. This ensures that individuals can have control over the accuracy of their information.

Another vital right granted under the VCDPA is deleting personal data. Consumers can request the deletion of any information provided by or about them, reinforcing their control over their personal information. Finally, the VCDPA also gives consumers the right to opt-out of processing their data for targeted advertising purposes. This means that individuals can choose not to use their data for targeted advertising, giving them more control over their online privacy.

Pandectes GDPR Compliance app for Shopify Stores - Understanding the Virginia Consumer Data Protection Act (VCDPA) - USA

How the VCDPA defines processing

Under the VCDPA, processing data, or ‘processes personal data’, refers to any operation or set of operations performed on personal data on behalf of a controller. This includes collection, storage, use, disclosure, and deletion. Businesses need to understand this broad definition and the relationship between a controller and a processor, where the processor acts on behalf of the controller to handle personal data with specific responsibilities, safeguards, and contractual requirements under the Virginia Consumer Data Protection Act (VCDPA). Understanding these aspects is crucial for businesses to assess their data-handling practices.

How the VCDPA defines consumer

The Virginia Consumer Data Protection Act (VCDPA) provides a comprehensive definition of a “consumer” as a natural person who is a resident of Virginia. This definition is critical as it clearly outlines the scope of the law’s application. The VCDPA’s definition of a consumer is broad, including a wide range of individuals, ensuring their data privacy rights are protected.

The law specifically excludes a natural person acting in a commercial or employment context, limiting its applicability to consumers and not businesses. This distinction is essential as it ensures that the law’s provisions do not interfere with standard business practices, protecting consumers and businesses.

Who does the VCDPA apply to?

The Virginia Consumer Data Protection Act (VCDPA) is a recently enacted data privacy law that applies to businesses operating in Virginia or targeting Virginia residents with their products or services. The VCDPA mandates businesses controlling or processing the personal data of at least 100,000 consumers annually, or those deriving over 50% of their gross revenue from selling personal data and processing the personal data of at least 25,000 consumers, to comply with the new data privacy regulations. The law seeks to protect Virginia’s consumers’ privacy by giving them greater control over how their personal data is collected, used, and shared by businesses operating within the state.

Definitions under the VCDPA

The VCDPA defines various terms, including personal data, sensitive data, processing, consumer, and targeted advertising. A ‘data subject’ under the VCDPA is defined as an ‘identified or identifiable natural person’ whose personal data is collected, emphasizing the rights of these individuals, such as the right to access, delete, and correct their personal data processed and ensuring they are not discriminated against for exercising these rights.

Furthermore, the Act distinguishes between a ‘person processing personal data’ by defining a ‘controller’ as the entity that determines the purposes and means of processing personal data and a ‘processor’ as the entity that processes personal data on behalf of the controller.

These definitions establish a framework for interpreting and applying the law, ensuring consistency and clarity in compliance efforts. They cover the breadth of personal data collected and outline the obligations for protecting consumer information and individuals’ rights regarding their personal data.

Pandectes GDPR Compliance app for Shopify Stores - Understanding the Virginia Consumer Data Protection Act (VCDPA) - World Map

What types of consumer data does the VCDPA protect?

The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive privacy law that aims to protect various types of consumer data, including personal and sensitive data. The law strongly emphasizes protecting consumers’ personal data, defined as any information that identifies or could reasonably be linked to an individual. This definition includes many data points, such as names, addresses, phone numbers, email addresses, and IP addresses.

The VCDPA also recognizes the importance of safeguarding sensitive data, which refers to more specific categories of information that require an even higher level of protection. This includes genetic data, biometric data, and other types of information that are considered particularly sensitive. The law’s focus on protecting these data types underscores the importance of ensuring that consumers’ rights and protections are respected throughout the data processing lifecycle.

How the VCDPA defines profiling

Profiling is a process that involves the automated analysis of personal data to evaluate or predict certain aspects related to an individual. These aspects may include their preferences, behavior, or characteristics. In the Virginia Consumer Data Protection Act (VCDPA) context, profiling refers to the analysis or prediction of personal aspects related to an identified or identifiable natural person’s economic situation, health, preferences, interests, reliability, behavior, location, or movements.

The VCDPA emphasizes the importance of transparency and accountability in profiling activities, ensuring that individuals are fully informed about how their data is being used and can opt-out of such profiling. This means businesses must provide clear and concise information about their profiling practices, including the types of data being collected, the purposes for which it is being used, and the potential impact on individuals. Additionally, businesses must implement appropriate safeguards to ensure that profiling activities do not result in discrimination or harm.

What is defined as personal data under the VCDPA?

The law defines personal data as any information that can be linked or reasonably linked to an identifiable natural person. This means that personal data encompasses a wide range of data types, including but not limited to full names, physical addresses, email addresses, phone numbers, usernames, IP addresses, browsing history, geolocation data, social media profiles, and biometric information.

Full names refer to an individual’s first, middle, and last name. Physical addresses refer to an individual’s residence’s street address, city, state, and zip code. Email addresses refer to the unique identifier used to send and receive electronic mail. Phone numbers are the unique identifier used to make and receive phone calls. Usernames refer to the unique identifier used to access online accounts. IP addresses refer to the unique identifier assigned to each device connected to the internet.

Browsing history refers to the record of web pages visited by an individual. Geolocation data refers to an individual’s location based on GPS or other location-based technologies. Social media profiles refer to the online profiles created by an individual on social media platforms. Biometric information refers to an individual’s unique physical or behavioral characteristics, such as fingerprints, facial recognition data, or voiceprints.

What is defined as sensitive data under the VCDPA?

Sensitive data is the term used to describe certain categories of personal information that require additional protection due to their potential impact on an individual’s privacy and autonomy. This type of data includes genetic or biometric data, details about an individual’s racial or ethnic origin, religious beliefs, health conditions, sexual orientation, and criminal records. The VCDPA prohibits such data collection unless the individuals have given explicit consent.

Businesses and organizations that handle sensitive data must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to ensure the confidentiality, integrity, and accessibility of this information. This includes measures such as regular data backups, restricted access to sensitive information, encryption of data during transmission and storage, and secure communication channels.

In addition, businesses must ensure that their employees receive adequate training on data protection policies and procedures and that regular assessments are conducted to identify and mitigate potential data security risks.

Pandectes GDPR Compliance app for Shopify Stores - Understanding the Virginia Consumer Data Protection Act (VCDPA) - US map

Consent is a fundamental principle under the VCDPA, and businesses must obtain valid consent from consumers before processing their personal data. This consent must be a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.

This may include a written statement, a statement written by electronic means, or any other unambiguous affirmative action. This includes obtaining consent for the sale of personal data and for targeted advertising purposes. Businesses must also inform consumers about their data processing practices to enable informed consent.

Obligations and requirements of controllers under the VCDPA

The VCDPA outlines several obligations for controllers responsible for determining the purposes and means of processing personal data. One of their key responsibilities is implementing suitable data protection measures to ensure personal data’s confidentiality, integrity, and availability. This includes, but is not limited to, access controls, encryption, and regular security testing.

Controllers are also required to conduct data protection assessments, which involve analyzing the risks associated with processing personal data and implementing measures to mitigate those risks. These assessments must be carried out periodically, or if there are any changes to the processing activities that could affect the risks to personal data.

Furthermore, controllers must respond to consumers’ requests regarding their personal data, such as requests to access, correct, or delete their data. They must also provide consumers with clear and concise information about how their personal data is being used and disclose any third-party recipients of the consumer’s personal data. If there are any personal data breaches, controllers must notify consumers promptly and take steps to prevent similar incidents from occurring in the future.

When must a controller perform a data protection assessment?

Under the Virginia Consumer Data Protection Act (VCDPA), controllers must conduct data protection assessments whenever they process personal data that could potentially threaten consumers’ rights and freedoms. These assessments are crucial in identifying and evaluating the potential risks associated with data processing activities, which helps controllers take necessary measures to mitigate those risks and ensure compliance with the VCDPA.

In other words, data protection assessments are proactive measures that controllers must take to protect the privacy and security of consumers’ personal data and maintain transparency in their processors’ data processing procedures and activities.

Pandectes GDPR Compliance app for Shopify Stores - Understanding the Virginia Consumer Data Protection Act (VCDPA) - Locker

What are the consequences for businesses that fail to comply with the VCDPA?

Non-compliance with the Virginia Consumer Data Protection Act (VCDPA) can lead to significant penalties for businesses. If found guilty, organizations may face fines of up to $7,500 per violation under the law. Additionally, the Virginia Attorney General enforces the VCDPA and has the authority to investigate violations and issue civil penalties. Unlike the CCPA (California Consumer Privacy Act), the VCDPA does not create a private right of action, meaning individuals cannot sue businesses directly for non-compliance. However, businesses should still prioritize compliance to avoid penalties, reputational damage, and loss of consumer trust.

VCDPA Compliance

Pandectes GDPR Compliance helps  Shopify Stores comply with the Virginia Consumer Data Protection Act (VCDPA) by scanning them and identifying the cookies and tracking technologies in use. The scan generates a report that classifies these technologies based on regulatory guidelines and provides options for updates to ensure compliance with VCDPA.



The Virginia Consumer Data Protection Act (VCDPA) is a newly introduced state-level privacy law that aims to protect Virginia residents’ personal data and privacy rights. The Act lays down comprehensive measures businesses must adhere to to process and legally handle consumer data.

Under the VCDPA, businesses that collect, process, and share personal data of Virginia residents must comply with certain requirements, such as obtaining explicit consent, providing disclosures, and implementing reasonable security practices to safeguard the personal data obtained. Moreover, the Act also empowers consumers with certain rights, such as the right to access, correct, and delete their personal information and opt-out of the sale of their data.

The VCDPA is a significant step towards creating a more privacy-centric regulatory environment in the United States. By staying up-to-date with the Act’s provisions and ensuring compliance, businesses can better protect their customers’ privacy interests and mitigate the risk of data breaches and other privacy violations.

Make your Shopify Store GDPR/CCPA compliant today
Pandectes GDPR Compliance App for Shopify
Subscribe to learn more

You Might Also Like

Scroll to Top