Virginia Consumer Data Protection Act

What is VCDPA?

Virginia’s passing of the Consumer Data Protection Act (CDPA) is a monumental change for data privacy legislation in the United States. As a second state jumps on the bandwagon, it proves California’s legislation is not a singular case. It was simple when businesses just had California’s legislation to comply with but now Virginia symbolizes a trend and other states will follow suit.


Borrowing from the GDPR, Virginia’s CDPA uses terms including controller, processor, personal data, data minimization, and from the GDPR and CCPA/CPRA, has consumer rights, and the requirement of data protection assessments for high-risk processing activities. We also see the now ubiquitous requirements for reasonably accessible, clear, and meaningful privacy notices that address the collection, processing, disclosure, sale, and nature of and process for requesting consumer rights.


Scope: The VCDPA provisions take effect in 2023 and applies to all businesses that in a calendar year:

  • Control or process the personal data of at least 100,000 consumers OR
  • Control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data (§ 59.1-572.)


Consumer Rights: In § 59.1-573., the VCDPA provides consumers with the right to submit the following requests to the controller:

  • Access personal data that a business processes about them;
  • Correct inaccuracies in that data, taking into account the nature of the data and the purpose of the processing;
  • Delete personal data provided or obtained about them, subject to certain exceptions; •
  • Obtain a copy of their personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format
  • Opt-out of processing for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
  • Opt-in to the processing of sensitive data, unless the processing activity is an internal operation "reasonably aligned" with the expectations of the consumer or in furtherance of provision of a product or service specifically requested by the consumer.

How to Comply With VCDPA if You're Complying With CCPA

  1. Revamp data inventories to account for sensitive data
  2. Establish a process for opt-in for sensitive data.
  3. Set-up an appeals process
  4. Establish a process for the right to correction
  5. Establish a process for data impact assessments
  6. Update your notices
  7. Update vendor contracts including deidentification
  8. Evaluate deidentification processes and take a public position
  9. Evaluate your security procedures and reporting obligations
  10. Implement data minimization
  11. Establish a process for opting out of automated processing and targeted advertising

Simple & Complete VCDPA Compliance

Truyo offers true consent and data privacy rights automation. Manage complex CCPA compliance requirements, minimize risk, and deliver fast ROI.

Consumer & Admin Portal

A self-serve privacy experience

Scalable Architecture

Future-proof your compliance

Fully customizable UI & UX

Adhere to brand guidelines for a seamless experience

End-to-End Automation

Automate delete, change, or anonymize data across all systems

Truyo Privacy Rights Automated

Automate Requests from VCDPA with Truyo

The Truyo platform provides a world-class privacy portal. Your consumers can see how and why you use their data, enabling them to understand the value they receive and may lose access to if they request to have their data removed. 

The portal shows categories of data along with a description, which allows a consumer to request deletion of a single element of data rather than their entire record.

This is all done automatically without privacy team intervention.