What is VCDPA?

The Virginia Consumer Data Protection Act (VCDPA) protects Virginia consumers' personal data. It applies to businesses processing data from 100,000 consumers or 25,000 consumers with 50% of revenue from data sales. The law gives consumers the right to access, correct, and delete their data, and requires businesses to obtain consent and implement safeguards to protect it from misuse or unauthorized access.

Where does the VCDPA apply to?

The VCDPA applies to entities conducting business in Virginia or offering products and services to Virginia residents, regardless of their location. The law governs the collection and processing of personal data, giving consumers the right to access, correct, delete, and opt-out of the sale of their data. It also requires businesses to implement reasonable data security measures to protect personal information from unauthorized access or disclosure. Importantly, the law grants enforcement powers to the Virginia Attorney General.

graphic of a white magnifying glass against a blue background

What Are the Possible Reasons for VCDPA Penalties?

VCDPA penalties arise from non-compliance, such as:
   ● Failing to get consent for sensitive data.
   ● Ignoring consumer requests to access, correct, or delete data.
   ● Weak data security measures.
   ● Selling data without consent.
   ● Not fixing issues within the 30-day cure period.
   ● Not following data processing rules.
Staying compliant and addressing issues promptly helps avoid fines.

Who is Liable for VCDPA Penalties?

The VCDPA applies to businesses that operate in Virginia or sell products and services in the state, provided they meet at least one of the following conditions: they process personal data of 100,000 or more Virginia residents, or they handle personal data of at least 25,000 residents while deriving over 50% of their revenue from selling that data. The "sale of personal data" refers to exchanging data for monetary compensation with a third party.

graphic of a building in white against a blue background
white sheet of paper graphic against a blue background with shield in front of it

What Are the VCDPA Penalties for
Non-Compliance?

VCDPA fines can reach up to $2,500 per violation and $7,500 for intentional violations, with each consumer representing one incident. For example, if a business violates the rights of 100 consumers, it could face fines up to $750,000 (100 x $7,500). All fines, legal fees, and costs collected will be directed to the Consumer Privacy Fund to support the Attorney General in enforcing the law.

Get the VCDPA checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist
graphic of a white notepad page against a black background

Frequently Asked Questions

What are the key requirements of the VCDPA for businesses?

The key requirements of the Virginia Consumer Data Protection Act (VCDPA) for businesses include implementing data protection policies, providing consumer rights, conducting data protection assessments, obtaining opt-in consent for sensitive data, and establishing processes for data breach response and accountability.

What are the penalties for non-compliance with the VCDPA?

Non-compliance with the VCDPA (Virginia Consumer Data Protection Act) may result in penalties of up to $7,500 per violation. The Attorney General has the authority to enforce the law, and penalties are determined based on the nature and scope of the violation.

How does the VCDPA compare to other privacy laws, such as the CCPA and GDPR?

The VCDPA, CCPA, and GDPR share similarities in terms of consumer rights and data protection, but they have differences in scope, applicability, definitions, and specific requirements. The VCDPA is narrower in scope and has fewer requirements compared to CCPA and GDPR, but all three laws aim to protect individuals' privacy and regulate data handling practices.

How to make my business VCDPA compliant?

To assure VCDPA compliance for your business, start by implementing clear data protection policies and procedures. One of the easiest ways to simplify compliance is by using a Consent Management Platform (CMP) like Consentmo, which is designed specifically for Shopify stores. Our app helps you manage cookie consent, data requests, and user rights, verifying your store meets VCDPA requirements without hassle.

Is your site compliant?